All biometrics can be fooled if the biometric sensor system alone is all you are using for the security.
Biometrics only uniquely identifies a person. You still need another person (security guard, for example) or technology (detect a live human being and/or a real eye) to verify it is a person that provides the biometric input. This is to prove an actual person is there.
Until someone switches eyes out (improbable) or finds a way to implant the iris image of another individuals eye within their own eye (improbable) a security person can verify an eye is actually being scanned by the biometric scanner. Add an independent security feature (ID, password, etc.) and it's a pretty darn good security system.