There's such a thing. You can get asymptotically close to "perfect security", but it really is a risk evaluation game. Is it worth it to spend $20,000 to run a pen test and make sure we're not grossly vulnerable to attack? Sure! Is it worth spending $50B to develop our own hardened OS, hosted inside our data bunker with airgapped servers running on custom CPUs? Probably not. The challenge becomes how to identify when you're as good as you reasonably can be given the threats you realistically face on a budget that doesn't resemble a small country's GDP.
Of course there's always a scenario that could be malapropos; yet most of the time we're not comparing $20k to a figure that has a larger GDP than many countries. I always get a kick out of people on the internet who take what I say and blow it way out of proportion to try to win an argument against me that I never made in the first place.
Anyway, I agree with your last sentence; at what point is something "good enough". Lately I feel like the "good enough" in a significant amount of corporations isn't acceptable. I'm in healthcare and the absolute lack of security in my day to day is absolutely amazing.
I think you're reading stuff into my reply that I didn't intend. I didn't want to argue with you. I read your post as though you were asking a question, and I answered it.
I agree with you on that last bit. While it's important to have your compliance ducks in a row, a lot of shops seem to feel like "we've checked all the audit checkboxes so we're secure now!" No. All that stuff is nice, but having a documented process for deciding who gets root on your database servers is not the same as actually securing your database servers.
