Why even bother then?
I often compare IT security measures to bulletproof body armor. There are many options and which you use is situational.
The average police officer, for example, is dealing with dumbass gang-bangers who can't even figure out that the gun works better when held vertically. To this end, most choose to wear a lightweight vest. Such a vest is useless against large caliber weapons or attackers capable of pulling off a headshot, but since that's not a good description of what the average officer faces, a lightweight vest offers adequate protection with minimal intrusion or discomfort.
S.W.A.T. teams, on the other hand, only get called in when such circumstances present themselves. To this end they wear heavier body armor, covering a larger portion of the body and protecting against larger munitions.
There are of course variants on this up to and including the tank (body armor so heavy it needs an engine) but it's not feasible for the average cop to drive around in a tank any more than it's feasible for the average cop to wear full body armor, riot gear, etc. all day every day.
Similarly, most of us don't need NSA/CIA/FBI/Other TLA organization level security since we're unlikely to face the same kind of threats they are. We don't each need to be as secure as a bank (or rather as secure as a bank SHOULD be) any more than we need a steel vault door in our living rooms, but we DO need protection. The internet is a hostile computing environment and so depending on your level of exposure to that hostile environment you need some level of protection.
On a meaningfully large scale, security is a non-trivial problem and requires non-trivial effort to solve, but for most folks the equivalent to a light bulletproof vest (virus, spyware, malware scanner and perhaps a firewall) will suffice.