Much of cyber defense today relies on the same approach used in kinetic defense over the last few thousand years. We use hard perimeters (firewalls) to repel attacks, sentries (IDSs) to trigger incident response, and carefully guarded entry points (VPNs, websites) to meet functional requirements (wait…security is still a non-functional requirement?). It is both a poor defense, and indicative that we have a poor model of our adversaries.
Admittedly, the standard defense model is easier and less (immediately) costly than the alternative of hardened applications and databases. Nobody seems to notice, though, how that defensive strategy often worked . . .