This is really the only sane way to manage security. Even though there is no such thing as real, absolute security, there is such thing as more secure. This increase in security has a neccessary increase in time and manpower related to it. You just have to look at what kind of data you are handling, the sensitivity of the data, how much you care, how much time and money you have, and countless other factors, and then make a security model for yourself.

The cost of superior security is eternal vigilance.