Possibility is not Probability

RSnake makes the fairly obvious point that no website is invulnerable to compromise. No legitimate security professional would make the mistake of suggesting that they are totally secure (though it isn't uncommon for unknowing IT professionals to suggest it).

But risk exists with everything we do, and simply being vulnerable does not mean you will be compromised. This is the challenge with risk management — dealing with varying levels of uncertainty. Many folks have binary switches (or at least preferences) between 0% and 100% certainty of some event occurring. Economists call this the certainty effect and it is related to prospect theory and the pseudocertainty effect.

Believing that vulnerability equals compromise completely ignores the notion of threat and the existence of probability. RSnake hints at this with this comment:

"Many of the CISOs I talk to mention esoteric bugs as their top concern
and I have to stop them and explain how unlikely it is that they’ll be
hit by that specific kind of exploit, but rather how incredibly likely
it is they’ll be hit by something mundane that’s been out there for

I am not sure what CISOs he is talking to — most that I know are much more rooted in fundamental problem solving. In any case, he clearly is making a subjective probability statement here, which is an appropriate way to address problems like this.

So it becomes pretty clear pretty quickly that threat is the gating factor for our risk, and this means we should spend much more time making it harder for the attacker to get in. RSnake again:

"…if an attacker takes any system and apply enough resources against it they will get into it…"

That part about 'enough resources' is crucial. We cannot completely prevent an attack against our systems, but we can make it very expensive.