Just to tune in to the "making X impossible" ... there is always someone whos is able to break the lock, and steal the crown jewels. Not even Fort Knox is safe enough and far too famous, hence most of the gold AFAIK has been moved to other, less well known warehouses.
What drove the concept home best for me was what we where teached in military. There, I was trained a a Security Infantry Soldier (before being reclassified as a normal infantry soldier, but that is besides the point).
A big part of our training was securing military installations.... which was really hard work lugging around fences and barbed wire.
A lot of people would initially believe that the sectors now covered with double fences and multiple rows of barbed wire could be forget about, because "who could possibly get in?"...
of course that was a gross mistake.
The point our trainers made was that basically none of these measures where meant to keep someone out, even though it would certainly deter most people from trying to climb in during peacetime because of the time needed and the dangers getting caught in that barbed wire (not to mention how pointless it is to break into a military base during peacetime)... the real point was to MAKE IT HARDER TO BREAK IN, thus a trespasser NEEDING MORE TIME TO GET IN, thus whoever was in charge of defending the base HAVING MORE TIME TO REACT.
Lesson was, no matter how many rows of barbed wire you wrap your base in, given enough time and dedication, somebody can break in.... but with each row, they need more time until they are inside the perimeter.
I see IT Security as the same concept.
You try to deter the script kiddies that lack the skill to break in. They might try, they will not be able to get around the security, they will give up and try to find an easier target.
You try to slow down the Hacker that DOES have the skill to get around your security. That might give your Sys Admins the time needed to notice the attack and initiate countermeasures.
Even if the Attack is successfull, you try to collect enough evidence to trace down the origin of the attack. Making the attack riskier for the attacker in the long run. If the hacker is employed by a country and the country the attack originates from gets traced down, this country will get into a quite awkward situation. Making it quite possible they tell their hackers to refrain from future attacks until they are sure their attacks can no longer be traced.
There is never 100% security... but you can get damn close by combining multiple layers of automated security with competent and 24/7 security staff. Of course that costs money, A LOT of money. Big businesses spend a big part of their IT budget on security because of that.