A common truth of security, regardless of the application, is that the job of the hacker or attacker is always easier than the job of the defender. The hacker needs only to find one vulnerability, while the defender must try to cover all potential vulnerabilities. The hacker has no rules—the hacker can follow unusual paths, abuse the trust of the system, or resort to destructive practices. The defender must try to keep their assets intact, minimize damage, and keep costs down.
Actually, the defender has an impossible job if the goal is to have 100% security upon all potential attacks. That is why the main goal of security cannot be to defeat all threats. Management may want to be educated about this concept, because they may not understand that this is a tenet of the security career. Every defender makes a risk assessment by deciding which threats to defend against, which to insure against, and which to ignore.
Mitigation is the process of defence, transference is the process of insurance, and acceptance is determining that the risk does not need any action.