We generally do a good job of protecting the big items in our infrastructures, applications, and frameworks. We can easily see and block the barbarians at the front door. We protect our networks with firewalls and deep packet inspection.
We protect open services with code that identifies and blocks known attacks and brute-force attempts. We compartmentalize larger implementations so that a breach or problem in one doesn’t affect the others.
Frankly, the big objects are the easy part of security. But the tiny, insidious, and completely unforeseen vectors always seem to get us — like a tiny bit of code that was overlooked for years in OpenSSL or Bash, or to take the latest example, Venom (CVE-2015-3456), which is the hyped name given to the latest threat to virtualized infrastructures.