> Well, you need to harden everything, the attacker only needs to find one or at most a handful of exploits.

Yeah, but it's not like the attacker knows where to look without checking everything, it it?

If you harden and fix 90% of vulns, the attacker may give up when their attempts reach 80% of vulns.

It's the same as it has ever been; you don't need to outrun the bear, you only need to outrun the other runners.