It's started to be a rule on security programs to have security solutions/processes implemented following the 80/20 "Pareto principle". That's pretty acceptable except for the fact that people immediately forget that remaining 20% and keep in their heads that that risk is completely mitigated.