The real problem with IT security is exactly that summed up by Gerry Adams when talking about IRA terrorist attacks in the late eighties:
They [the security forces] need to be lucky every day - we only need to be lucky once
in other words, if the miscreants, terrorists or whatever try often enough they'll get lucky sooner or later. Of course in the cyberworld, there are many more miscreants, more cheap computing power available and more tools to try automated attacks.
So, no matter how good your firewall, how strict your patching schedule, sooner or later you are going to get breached.
This doesn't mean you do nothing - you do need to patch and maintain systems to minimize the risks - but you also need to be prepared for a breach, and have a damage control strategy in place - even if your planned engineering response consists of turning everything off and redirecting all traffic to a single web page saying "we've had a problem - back soon", - as sooner or later someone will notice, and given that your web pages are your public face, you need to be prepared to explain what's happened, even before you know fully what's happened.
Despite having quoted Gerry Adams at the start of this I tend on the whole to dislike comparisons between hacking and terrorism - the consequences of a data theft or downing a website are nothing compared to those of blowing up a large public building - but there is one valid comparison - airport security.
Airport security is universally acknowledged to be a pain, laptop out, shoes off, pockets emptied etc etc, and also to be imperfect. I'm sure I'm not the only person to have inadvertantly carried something I shouldn't through security - in my case a forgotten tube of hand sanitiser - and not been detected by the scanners.
Despite all this airport security is also a pretty successful deterrent - people on the whole know not to do certain things, and the detection rate is good enough to deter deliberate attempts to circumvent the system. The same is true about IT security. Most of the time it's good enough and stops most attempts.
The problem is that it's not perfect, and because major breaches are rare, they're immediately hi-profile ...