A lot of not very good engineers like these absolute answers and like things to be black or white. I run into them frequently. The worst is probably the IT security field, where things are often viewed as secure or not, with nothing in between.
To be fair, either you are dead or not... or the favorite from years ago, you are not just a little bit pregnant. You either are pregnant or you are not.
That being said, managing risk is a numbers game which is where the black and white people fail miserably. Which is essentially what you said. I am just trying to nuance the situation here a bit and point out why the infosec folks that are weak actually are weak.
Disclaimer, I work in infosec.