“Limits are what we fear.”
… R. Buckminster Fuller
The organizations that enforce the strictest corporate security are often the ones that are the least secure. With the exception of organizations whose very mission is security (say, the Coast Guard, intelligence agencies, banks or body shops that rent uniformed personnel as their mission), the more resources an outfit throws at security, generally the less likely it is they are getting any bottom-line value for it.
Unless you have an unlimited budget, every dollar spent on securing assets is a dollar subtracted from something productive—at best, dollars spent on successful security are resources you could have spent on R&D or marketing or customer service or dividends that are now lost to you forever.
Sometimes the complexity of an initiative that requires extremely secure systems makes it nearly impossible to succeed, even for a skilled organization with unlimited resources and a skilled SI. A recent example that serves as a perfect warning is the $104+ million bloodbath the FBI suffered in its Trilogy project, a perfectly straightforward case file management and sharing system so larded with the need for absolute security that essential parts of it wont ever be deployed.
If the FBI—with a mission that everyone recognizes as vital and with supplied resources to match—cant get to the finish line, I suggest its not going to be any easier for anyone with a less vital mission.