>The problem is the criminals can be anywhere in the world
Perhaps, but we tend to trace the lion's share to one of very few places.
>When criminals are a constant, security is the only variable.
Security also comes through deterring would-be attackers. Security is not simply a posture of attempting to deflect as many attacks as possible. Ever play Missile Command?
In fact, that's disastrous policy. And, even if it were possible to get every company/governmental agency to immediately invest in massive security overhauls along with all vendors, OSS, etc. with near instantaneous results, some attacks will invariably get through.
Seems pretty obvious that we don't want attackers with 100% upside and no downside.
The problem is the criminals can be anywhere in the world and can not be removed. When criminals are a constant, security is the only variable.