My understanding of defense in depth is that it is a hedge against this. By using multiple uncorrelated layers (e.g. the security guard shouldn’t get sleepier when the bank vault is unlocked) you are transforming a problem of “the defender has to get it right every time” into “the attacker has to get through each of the layers at the same time”.

The defender must be right every single time, and the attacker right only once.

Until the attacker has initial access.

Then the attacker needs to be right every single time.

Well, the attacker has something to lose too. It's not like the defender has to be perfect or else attacks will just happen, it takes time/money to invest in attacking.

Not to mention an attacker motivated by financial gain doesn't even need a particular targer defender. One/any found available will do.

The attacker and defender have different constant factors, and, up until very recently, constant factors dominated the analysis.