Lessons learned from few Penetration Tests I conducted, support the cited above approach.
It is true that there is no way to assure absolute Security (For deeper explanation why you can look at a well known security Guru, Bruce Schnirer's web site).
Any Security mechanism is breakable by someone who has expertise and spends a lot of resources (including time).
But it is also possible to breach Security without expertise and by spending only few resources for a very short time: just exploit the weakest link.
As part of a Penetration Test, I always looked for simple unsophisticated methods to penetrate instead of penetrating by usage of very sophisticated methods.
These methods could be used by anyone, unlike the sophisticated ones, which could be used only by a limited group of very talented experts.
What is the weakest link?
According to my experience it is the human factor.
For example, let's explore Passwords mechanisms. You may deploy a very sophisticated Password pattern, a frequent password change cycle enforced automatically and a reasonable Suspension mechanism for inactive users, but if users will hang on their screens (or on other visible objects), notes including their passwords, these good mechanisms are futile. Let alone a pattern demonstrated by an incident I experienced while conducting a Penetration Test.
Prior to that meeting, I discovered a user who has authorization far beyond his Role requirements. In front of the CSO I asked him for his password, just to demonstrate that it is possible to misuse the unneeded authorization. Instead of keying the password, he wrote it on a note and gave it to me. I am quiet sure that a lot of employees, lacking Security awareness training would give their passwords to unauthorized people (A well known Phishing method is sending an e-mail message including a bank logo or e-Bay's PayPAL logo and asking the recipient to type them into a form). If the unauthorized people are or pretend to be employees of a respectful organization (e.g. a research institute a market analysis', a well known Software brand or a consulting company), than the probability of disclosing information is higher.
For additional information on the effect of representing a respectful organization read about a classical Psychological experiment conducted by Milgram many years ago.
This experiment is depicted in a YouTube video.
It is even weaker than my expectations. Recently I read e-week's Brian Prince post titled: You are the weakest link, and found that in a report surveying 967 end users (The survey was sponsored by IronKey) roughly half the surveyed said that their corporate data security policies are largely ignored by both employees and management. The policy violation acts severity degree is varied.
For example 61% admitted to copying confidential data and transferring the information to non-corporate device and more than 20% turned off security such as anti-virus software, desktop firewalls and enterprise devices encryption.
It is clear that the weakest chain is human beings. Precious and complicated Security software is not enough.
The question to be asked is why?
Part of the answer is human nature, but the other part could be reduced or eliminated.
As found in the survey more than half (58%) of the surveyed said that they felt their companies did not provide adequate training on following the rules. 46% said the policies were to complex to understand.
The key for good enough Security are awareness, awareness and awareness.
Adequate and down to earth Security Policy may be also helpful .