No, security is about trade-offs. If you throw absurd resources toward protecting against entirely unrealistic threats and your company goes out of business, you've failed. If you have legitimately made the risks small enough, for the resources and threat model (and that threat model sufficiently matches reality), you've succeeded. There are of course some legitimate caveats, including talk of externalities and questions about how one would measure things, but I still assert my basic model is more correct than yours.

Recognition that security is only as strong as the weak link does not imply that all links must be infinitely strong.