It costs real resources to find vulnerabilities in software, with the level depending on the target. The greater the persistence of the intruder the more professional the intruder. Black hats have a lot of costs to manage, beyond those in my original post. I can pretty confidently argue that intruder costs are dwarfed by defender costs. To the extent that “defense in depth” applies additional costs yet do not meaningfully reduce exposure and vulnerability, DiD does indeed “exacerbate the value cost inequity for defenders””]
Source: https://taosecurity.blogspot.com/2010/05/more-on-black-hat-costs.html