It isn't what vulnerabilities you have or what defenses you have in place, but how easily these systems can be circumvented. There will always be a new vulnerability in software that pops up (application or operating system related).  The quest to keep everything patched is endless.  People, or companies, or departments, love automatic.  We like to have everything just run for us and send us a report at the end of the month.  Automatic scans, patching, etc..

People who want to get into your network are willing to work at it a lot harder than most companies work at keeping them out.  They aren't using automatic tools to break in.  They rely on human intelligence to develop the tools to circumvent the controls you put into place.  Software can be programmed to turn left or right at an intersection but not think critically given the circumstances that it doesn't know about.  A hacker can look at each route and proceed down each path, back-up if needed, and try again until he finds the best route to his destination.