We should be doing the right things and be seen to be doing them. Except for a possible small number of exceptions, I would hazard a guess that the majority of hackers are either criminals or cyber-vandals. As such I would expect both groups to be more interested in easier targets (no pun intended). Criminals will want to maximise their gains from low risk/low effort activities whilst cyber-vandals are more likely to be interested in high profile results possibly without serious amounts of talent.

This is the classic scenario of not necessarily being able to make the situation impossible rather than make it difficult to a level that there are easier targets available.

Also by taking the appropriate steps then stakeholders should attain a level of reasonable confidence. It may also provide evidence that due diligence was performed in a more legal setting.