I love this analogy brought by Andrew Magnusson in his book Practical Vulnerability Management. I highly recommend reading his work.
Vulnerability management is one of the foundational concepts of information security. A perfectly written and configured software package doesn’t exist. Bugs are an inevitable part of software, and many bugs have security implications. Dealing with these vulnerabilities is a perennial issue in information security.
After World War I, France tried to protect itself from Germany by building a long line of forts and entrenchments along its German border. It was named the Maginot Line after the French minister of war.
But when World War II began, the Germans ignored the barrier by simply going around it, invading France across the Belgian border instead. All of that expensive defensive infrastructure was irrelevant.
The same goes for your environment. If it doesn’t have a foundational level of security, any additional countermeasures are no more than a Maginot Line. Attackers can easily avoid them because there is an easier path elsewhere. But by establishing a vulnerability management baseline and maintaining it via an active vulnerability management program, you can trust that additional security measures will add real value to your security program.