It can be done. For every firm that hits the news, there are plenty that thwart attacks, but attacks repelled don't make the news.
Take one large, recent breach as an example. If they had any type of lockout or alerting protection on their Active Directory service accounts, the brute force on their AD accounts would have been stopped in its tracks. In fact, the AD default is a 20 minute lockout every few bad guesses.
Target and others would have the attacks stopped cold by an IDS/IPS. No, these are not cheap, but neither are losses due to stolen credit cards, and an IDS/IPS is part of the PCI-DSS3 spec, so not having one can get a business's merchant account yanked. This is the cost of doing business.
Security isn't rocket science. Physical security is well tested and does a decent job from all but armed robbers, and it just takes the same mindset of setting the alarm to go off when the last authorized employee leaves the store at night, having this apply to network protection.
There are also advances in the server room which can make it attractive to focus on moving data in-house. Denser blade/enclosure chassis come to mind. I won't be surprised to see variants on HP's Moonshot with 45 blades in a 5U chassis, future models perhaps sporting liquid cooling, with a dedicated radiator/fan/heat exchanger. Even though Moore's Law has slowed, it still is going fairly strong, and the computers that we will be stuffing in racks in five years will have at least 4-8 times the transistors as the ones we have now.
VDI and remote access isn't standing still either. By allowing for -access- to the data via an application, but blocking access to the machines, this creates another security barrier. Again, not a 100% thing, but it is significant enough to reduce attacks, since sensitive data would be fenced in.
Cloud computing isn't going to disappear. It has its place. However, a business pays for servers, either by buying the physical machines and stuffing them in the data center, or renting usage via a cloud provider. Another downside is that cloud computing (or more specifically cloud storage) requires high bandwidth WAN connections, which can get expensive. A data center can rely mainly on LAN bandwidth which can be a lot cheaper. Smaller businesses can be better off with cloud solutions, but larger businesses may benefit by keeping everything in-house.
[1]: Going on the security tangent, I will toss one thing out that just might help security in general which might be added on in the next few years: Add a time value. A restaurant doesn't need the same physical protection at 12:00 noon as they do at 12:00 AM when nobody is in the store. Same with stores and businesses and their network connections. If a store is closed for the night, their subnets should be isolated from the Internet for everything but security patches, alarms/traps, and other essential communication.
Take a law firm. Unless there is an exception, their individual partner offices, floor, and entire building is locked at night. This should be the same with networks. If nobody is needing access, and exceptions are in place for remote use, then why should there be any Internet access (in/out) when nobody is there? Assuming the blackhats are attacking evenly 24/7, by cutting network access to say, 0700 to 1900, it means that half the attacks mounted against the network would fail.