The primary reason the IT security industry exists is because IT products and services aren't naturally secure. If computers were already secure against viruses, there wouldn't be any need for antivirus products. If bad network traffic couldn't be used to attack computers, no one would bother buying a firewall. If there were no more buffer overflows, no one would have to buy products to protect against their effects. If the IT products we purchased were secure out of the box, we wouldn't have to spend billions every year making them secure.
Bruce is right if you confine yourself to thinking that "secure" is the same as "zero vulnerabilities." This is one-dimensional thinking and correct as long as you stay within that one dimension. As I defined in The Tao of Network Security Monitoring, security is the process of maintaining an acceptable level of risk. I defined (using the common method) risk as the product of threat, vulnerability, and asset value, or R = T X V X A.
The link for this article located at TaoSecurity is no longer available.
