Agreed. You can ask Cupid Media or Adobe about how well their monitoring for something helped them after they lost tens of millions of rows of information on users - 42 million for Cupid Media, and over 150 million for Adobe (including email addresses and passwords).

Security isn't done well by thinking that 1 in N odds of one specific breach aren't bad, it's done well by reducing the chances for problems at every level and layer, and working to ensure that when a breach does happen, the damage is as small as possible. There are many, many ways to be breached, and each and every one has their own "odds".

Looking at some intrusion detection logs, the #1 attack I actually see being tried is on port 1433, the default SQL Server port!

As far as third party software, I also agree with Jeff - I write my own, or use scripts I can check (Ola Hallengren's and Adam Machanic's, primarily, with a dose of Jeff's for tally tables, and several from the SQLServerCentral community), none of which need CLR. I do use some other third party tools (Hashcat) for password audits, but those don't need any special access - just CPU or GPU time.