I agree with you if your goal is to lock down every attack vector and you have limitless funds and resources. Most companies that I have worked for have had little of both, so you have to balance, I think, the risk/probability with the cost/effort. I would love to do what you suggest to the nth degree.
However, if most companies would at least run auto tools regularly and fix what they find (or knowingly accept the risk in some areas), we'd be better off. I wish more companies would do at least that.
I think if you can at least lock down the basics, you can successfully get the skiddie and others slightly above her to move on to an easier target. Automated tools help you get there, but as you said, they can't do it all.
Let me clarify: I'm speaking in terms of what I feel a security professional's goal is: maximize profits. That of course means you weight cost/effort against the risk and only put in/recommend the security that is "needed" and cost beneficial for the company. The problem is in accurately determining (sometimes called guessing) what the probability a threat has--and that's different depending on the company and the industry.
It's not an exact science. I have seen simple vulnerabilities go untouched for years. Some things are just not found. They all give me pause, but I can't expect each industry to lock down like it's a financial institution. But at the same time, I can't expect companies to lock down things that won't lead to much of a loss, even if it is exploited; sometimes the cost is just too high and it's cheaper to clean up IF IT HAPPENS.
I know many of you will disagree, but that's what forums are all about: sharing perspectives and being stretched out of your comfort zone--and pondering what others advocate.
Kev, I enjoy your perspective. Keep it up. And congrats on your prize!