A cyber incident in an industrial control system can have serious consequences, and all security technologies have limitations. This means we can always be more secure, or less.
We could force-fit cyber risks into more conventional models by "making up" numbers for the probability of serious incidents, but "made up" numbers yield poor business decisions.