Imagine this is an entire system functioning for its purpose. Even though there is control to secure it, the control applies to one component only leaving the other portions vulnerable.
If those vulnerable portions are compromised, the entire system won’t work.
By the same token, this scenario could facilitate business continuity planning. What are the necessary system components required to maintain the minimal service then secure them, or make them resilient.
A holistic thought process is needed to figure out the business outcome, the minimal components, any vulnerabilities then derive the necessary controls.