i understand the basic principle - we apply it every day...but in security when we rule out possibilities, doesn't it make sense that some things become more dangerous because they're not considered or overlooked? it's this type of thinking that perpetuates the exploit and catch-up game that the ummm. bad guys are consistently winning.

for instance, i've heard from several sources here describing how spoofing full tcp communications isn't possible - or if it is then it's not considered spoofing. i won't draw a diagram, yet again...but it's the farthest thing from the truth. or that certain encryptions schemes can't be cracked. or that man-in-the-middle attacks don't work against SSL or any other type of certificate based security protocol.

another recent event that illustrates my point to a 'T', is apache and ISS's approach regarding the chunked encoding vulnerability. even though the evidence was clear (ala monkey.org's tamperings) - the information released was that it was only a threat to certain systems (64bit) - and that in all other cases the vulnerability would result in typical DOS characteristics.

i get it day in and day out from the security administrative side - and yet i and others prove them wrong on a continuous basis only to walk into work the next day and have them make the same claims with some other piece of the puzzle. definitive statement's at best hold temporary truths.

without much detail with regard to your analogy...i'll do my best:
was C always locked in the basement?
were A and B always in the kitchen?
which side did the lock face?
who else had keys?
what tools if any existed in the basement?
were there any other means of escape outside of the locked door?
is the room soundproof?
is the locked door at the top or the bottom of the stairs?
how much of a gap exists at the base of the door?
is it large enough to fit a key through? what about a peashooter? or dart-gun?
what is the relationship between A and B, A and C, and B and C

these are the types of questions i would want asked rather than assuming the "obvious".

as opposed as my views are, i'm not really against you, here souleman - i'm just trying to gain a better understanding of what i'm guessing is a consensus amongst sec admins. and at the same time offer my own view on security approach.