Quantitative Security Metrics: Unattainable Holy Grail or a Vital Breakthrough within Our Reach?

It's long been well understood that you can calculate useful estimations of systems' reliability against accidental failure. It's also well understood that trying to calculate systems' level of security against possibly intelligent, determined, well-funded, and creative adversaries is a far greater challenge. Nevertheless, even a less-than-perfect predictive capacity, if its limitations are respected, is clearly better than none at all. Without promising perfection, such a capacity would offer crucial support to decision making that impacts system security.