I recall working someplace where physical security was thought to be an adequate means of hardening our servers to attack. That is, only authorized users could gain entry into a locked Server room. Of course, anyone outside of management knew that this was false because of the fact that the Servers were connected to a network.
That was a VERY long time ago, but does indicate how poor security can be simply by "securing everything around" a Server or Database. Many lessons have been learned since a locked server room was thought to be "enough".
Better to have multiple layers of security that have to be traversed rather than putting all your eggs in a single basket (Happy Easter! No Fooling).