Every system has its own weakness and limitation. We can’t build a total secure system practically unless it is on the shelve without any usage value.
There is always the need to assess the risks to opt for optimal security controls. The key part is the “users” that they are expected to behave within the security boundary. Don’t try to address ALL vulnerabilities because it is unwise and a never-ending story. Even if this is achievable, it is just a snapshot at a particular point in time.
The proper approach is that
- Understand what are the inherent vulnerabilities
- What are the compensating controls surrounding the core system to reduce the likelihood
- If there are any alternate facilities to maintain the minimal business operations should bad things happen