You have been thinking about security wrong.

In the world of operational security there is a long standing INFOSEC model called the CIA Triad.

The CIA model is designed to guide the design of security policies based on the ideas of keeping data private (confidentiality), ensuring data is accurate and reliable (integrity), and making data available whenever it is needed (availability).

The CIA Triad is a risk based approach to addressing security. It is a formalization of the way most people and organizations typically think about security. Critical information is identified. Risks and threats are identified and actions are taken to reduce, monitor and mitigate the risks and threats. This analysis is used by security teams to create threat models to consider: what might disrupt operations and alternative scenarios to mitigate harm.

The weakness of a risk based approach to security is that it is only able to address known risks. There are things we know and we know that we know them. There are things that we don't know and we know we don't know them. Then there are the things with don't know and we do not know that we do not know them.

We can take actions to address the thing that we know and know that we know them.

We can learn about the things we know we don't know and take actions to address.

For things we don't know and don't know that we don't know them there is no action to take.

Even if we could achieve 100% knowledge of every vulnerability today, there will be a new exploit tomorrow and there will be a new attacker seeking to do harm.

Focusing on risks to reduce vulnerabilities and threats is futile. There will always be a gap in our knowledge.