Is Effective Security Possible?

Roger A. Grimes' article ('Effective security isn't easy, but it is possible') introduces some fundamental points about security that are really useful. Mike Rothman's post ('Effective security - within reach?') about Roger's is useful too. But my question is: 'what is effective security?'

Roger Grimes says:

There are many companies -- small and large, five-person businesses and Fortune 100 conglomerates -- that follow these rules. And they live without a world of malware and malicious hackers. When I visit them, they tell me that it’s been years since a significant malicious event happened to their environments.

If he thinks that effective security's definition is the above paragraph he makes a mistake. DOD dictionary of military terms defines 'security' as:

1. Measures taken by a military unit, activity, or installation to protect itself against all acts designed to, or which may, impair its effectiveness. 2. A condition that results from the establishment and maintenance of protective measures that ensure a state of inviolability from hostile acts or influences. 3. With respect to classified matter, the condition that prevents unauthorized persons from having access to official information that is safeguarded in the interests of national security.(DOD: security)

For a more practical definition Federal Standard 1037C (Telecom Glossary 2000) says:

1. A condition that results from the establishment and maintenance of protective measures that ensure a state of inviolability from hostile acts or influences. 2. With respect to classified matter, the condition that prevents unauthorized persons from having access to official information that is safeguarded in the interests of national security. 3. Measures taken by a military unit, an activity or installation to protect itself against all acts designed to, or which may, impair its effectiveness. (FS-1037C)

Wikipedia's simple and clear definition of effective security is:

A secure system is a system which does exactly what we want it to do and nothing that we don't want it to do even when someone else tries to make it behave differently. (wikipedia.org - security)

Is 'effective security' something different from 'security'?
- If the answer is negative, then: "Effective security isn't easy and it is NOT possible." Just think about 0-day exploits, underground exploits and so on. 100% security is not possible (at least for now).
- If the answer is positive, he should tell me what 'effective security' is. 'Practicable security' in my idea is 'the maximum or best security you can do on a network using all of the resources available for securing it.' When you do 'practicable security' it may be not so 'effective' against hostile acts. I have no idea about 'effective security'.

The next question is: 'Is it possible to make the network secure enough only by using the points he has recommended?'. For example consider that the software A is naturally insecure, B is secure and you cannot change A software to become a secure one. The company is using A and doesn't want to switch to B. 'Is my effort (based on his article) makes the network secure enough when there are some insecure softwares running on it?'