If you’re going against a three letter agency, Israeli or Chinese intelligence, you also have to consider all of your hardware sourcing. They don’t even need to compromise vendors, they just need to intercept a package en route.
Not sure where OP was coming from. It’s virtually impossible to protect yourself against a dedicated advanced persistent threat group.
In the purest, most academic sense of the conversation; yes, it is impossible to comprehensively defend against 0-days, APTs and nation states.
If we want to be pragmatic about the discussion, then it’s all about your threat model. In that sense, OP is right. If you’re a mom and pop shop selling a catalog of hardware, your LAMP stack isn’t going to face the same scrutiny as a “GooFacePayZon”. According to how he defines his threat model, he can call himself ‘secure’.
All your software vendors?
How likely are you to get malware on an employee laptop?
Phish employee credentials?
Have somebody sneak into your office late at night and install keyloggers on everyone's keyboards?
Kidnap an employee's family and blackmail them into giving you access?
Go through your recruiting pipeline and join as an employee with the motive to steal your data?
Get two people to do the same and bypass peer review controls?
Of course those are getting outlandish and unlikely, but that depends how "motivated and skilled" your attacker is.