I recently did a presentation on the $subject. You can access the slides from here. I used to think that if you have nearly perfect security control in place, you have a higher probability of surviving from malicious attacks. But the more I work in this area, the more I am convinced that technology plays only a partial role; People and Process play a bigger role. It is more evident if you look at insider attacks; these are carried out by people who have legitimate access to the systems/resources.