There are many good points and issues raised here. I think I might be able to structure things a little bit by listing the essential issues that must be addressed:

1. How "secure" is my application, server, etc. ? That is, if its vulnerabilities are attacked, what is the chance that the attack will be successful.

2. How likely is it that the vulnerabilities will be discovered? In our case this probably doesn't need much discussion, since vulnerabilities of common operating systems and other software is routinely discussed on the web.

3. How much do I care? If an attack is successful, what is lost? Will it cost me an hour or two to rebuild/restore with no other consequences or does the attacker gain the keys to my kingdom.

4. How much would I have to spend (money, time, explanations to the boss, carping from the users, etc.) to improve protection.

Ultimate action is based on a balanced combination of the three. I really don't care if some systems are compromised. When I see it, I'll fix them or just get rid of the whole thing. Some are worth investing modest effort in, because the cost benefit for that effort is good. Some I just have to protect or I'm out of business.

In the context of #1 above, it doesn't matter whether a system has been compromised or not, because the question is "how easy is it?" not "has it been done yet?" Let's skip #2. #3 is a biggie. If I can replace a system or its function in a little while (for example, buy a new PC and restore its operation from a common restore disk), it doesn't make too much sense to spend a lot of time and effort in protecting it. #4 is hard to deal with, because the consequences are not all in dollars, even though the upgrades are. These are big questions and are unlikely to be resolved as a general proposition.