My point is that the vulnerable points, regardless of where they come from, are ultimately there because the purpose of the Defender is not to have perfect cyber security, but to use computers and technology to enable business. Or as you said, "losses are a part of the business"; and that's so because "the business" isn't cyber security.