We don't make every building a blast shelter and everyone wear body armor. People who walk through the steps of attacking the US physically are going to succeed.

Our security strategy is to:

A) surveil, infiltrate, and block conspiracies to do so before they happen, and

B) identify, track, and punish our attackers after the fact.

I don't think (and "cyber" policy makers don't seem to think) that making every piece of software free of vulnerabilities is realistic. Sabotaging hacking groups, and building sufficiently scary capabilities for retaliation against nation-states that might attack us, seems much more attainable.