Apparently you don't understand the concept of reasonable and prudent. No one ever said following rules, regulations and guidelines ensures you are secure but so long as what you are doing is reasonable, prudent and also at the very minimum the industry best practices you wouldn't have to worry about being sued. Granted anyone can sue anyone for fun and profit but by taking reasonable and prudent actions usually defined as a minimum of industry best practices you can avoid losing the lawsuit. A zero day exploit that is used to carry out an attack is entirely possible but is not negligence. An exploit that is 5 years old with a patch has been available for 4 years 11 months and mitigating measures available for 5 years that is used to attack a system that has not been patched and taken mitigating actions is negligence as it would be reasonable and prudent in that time to take appropriate measures to resolve the vulnerability. Where you run into some grey area is there is an exploit that was recently disclosed and a patch or mitigating measures are available. On day 1 of the disclosure it isn't reasonable or prudent to deploy those to productions systems, but at what point is it reasonable and prudent to have done so. In this case regulations like NERC CIP provide a definition of what is a reasonable time so that covered entities can fully test and evaluate changes before applying them to a production system.
Additionally good security regulations and rules will employ the defense in depth principle which will help to mitigate problems if a vulnerability is discovered. Furthermore good regulations require some form of continuous monitoring of the system looking for issues and strange traffic, files, and/or behavior. So you have network firewalls, NIDS/NIPS devices, segmented LANs, host based firewalls, HIDS, a patch management program, following a security benchmark for the host and applications, practice least privileges, have minimal software installed on the host, have a tool scanning your network looking for new devices, have a vulnerability scanner scanning devices and hosts on your network, etc. all provide a good defense and provide multiple layers to stop and detect attacks in different ways. Sadly this cost money and doesn't show a return on the bottom line so it is seen as only a cost center, until there is a breach, so companies don't want to spend on doing what is needed.