The basic problem is that the security bod has to think of all the ways the hacker might try. The hacker only has to find one hole.
When I was a working bunny, the simple principle I proclaimed was that nothing on a network was totally secure. I proved my point to the IT director by the simple expedient of telling him what his password was. I didn't tell him how I'd got hold of it, and when I retired the "hole" was still there.
With hindsight, I should probably have told him where the hole was, but I thought it would make his security folks work harder to try to find it. I hope they found and blocked lots of others.