This might be true for internal applications. Once you plug anything into the Internet all bets are off. Who's auditing for vulnerabilities, patching, rollbacks. Changes aren't made on a whim. There is either a business, strategic, or security need for them. And it's that last one where everyone is worried.

No system is perfect. It's how you respond to them that matters and if no human is in the loop what sort of response can you expect?