There is no excuse for lax security.
I generally agree, but there are some instances in which people go overboard with implementing so many security features and failsafes that they destroy the purpose, usability, interoperability, and user friendliness of their products/services. Being "security aware" is entirely different from being "blatantly paranoid," the latter of which is extremely detrimental to productivity and longevity.
You can't plan for everything, so to try is both futile and costly (costly of both time and money). You can plan for the most common and most expected vulnerabilities though, and should target those with your best efforts. Once those are taken care of, you can plan for a few various wildcard worst case scenarios, but you'll never reach a "catch-all" peak unless you just disconnect your products/services from the world.