With security, whether electronic/computer, personal/bodily, or physical/building, there's threats and risks. Threats are possible bad things that can happen. Risk is the probability of those things actually happening. I'm sure you've left a window open in a building or car at some point. That's a major security threat, as a prowler could just climb right in! BUT, I'm willing to bet that didn't happen. The risk was low enough that you decided you could open the window. Likewise, do you have a bodyguard with you 24/7? Most likely not. Why? Because the chances of something bad happening is so low that you can't justify the hassle and expense. Not every computer/software threat is a reality, or even a problem unless the computer's connected up to raw internet without a firewall.

If anything, your post underscores why we've done what we've done.

Dropbox is a much bigger target than our lowly IP block in a very quiet, almost completely unused larger IP block. I see the random IP drop by periodically, but we'll go days, sometimes weeks without someone trying the doorknob. We still use nice security -- The software we use is also used by companies like Cisco, airlines, airports, health insurance companies, hotel chains, automotive manufacturers. We use them as our shield/canary-in-the-coalmine of sorts, since they're much larger targets than us and have much larger and experienced IT departments. No reason for us to reinvent the wheel when these large companies have paid employees doing the work for us.