When do you stop working on a task, when the thing you are working on works? That is true for most things in life, when the garbage disposal is fixed why keep working on it. Unfortunately in security that technique doesn’t carry over. IT people often stop working on something when what they are installing works. When the firewall works, they move on. When the system is installed they move on. This is a flawed approach.
In security you have to test mostly for something not working. By that I mean we need to make sure the bad guys can’t get in. If we stop when it works then maybe we opened too much access. Maybe we left a trail of holes in order to get the system installed.
Security practice starts with a simple principle, what is the minimum I need to do.