I hate metrics discussions some of us have in the IA world. On one side there are people who think that we should be able to come up with hard numbers by which to measure security. ("May I have a pound of security, please?") On the other side are those of us who know that it is always going to be impossible to nail metrics down and we have to be satisfied with more squishy measurements of what "good enough" is. In the middle, I suppose, are those who want to please those in the first group, know what the second group knows, and chose to ignore it to please those
in the first group.
But, "good enough" usually is 1) better than what we have and 2) pretty darn good.