AFAIK, the Internet was designed to be OPEN not secure so pretty much everything is "bolt-on" after the fact...
As humans are fallible, everything created by them is also fallible too. The old adage is very true: If debugging is taking bugs out, then programming is putting them in. Not all of them are known at any specific time and some were put in ON PURPOSE (example: back-door access for testing or support).
Harden the system in layers and everything is subject to change, so vigilance and diligence are in order. What is secure now might not be in 2 months, 2 weeks, 2 days, or even 2 hours. Putting in specific, credible forensic information and tools can help greatly reduce the time taken to track down issues and determine mitigation/prevention steps. Even something as simple as a separate Syslog Server can be very useful, but you do have to weed through the "flotsam and jetsam" when necessary. Plenty here have addressed the main focus areas, so I will not dive in any further. Do note that providers of software/services may not secure everything to your liking!
On Two-Way IPS from Trend Micro, I was making a habit of contacting the "abuse contacts" for specific Source IP Address Ranges to let them know of possible attacks. I found a few, outside of Known Countries with Active Hacking "detachments", that actually had more traffic after my contact. I stopped contacting and since my router stops from "answering the door", I get fewer "knocking". Some of the Source Addresses were from my work computer for specific traffic related to Microsoft Azure, so these were a False Positive Finding but I did have to know how to track this information down. Since there were browser-based error messages and time-based information sources to go on, I was able to narrow my search down and determined the issues and remediation steps.
The following are a couple sources that I use:
Common Vulnerabilities and Exposures:
http://cve.mitre.org/index.html
Common Vulnerability Scoring System Calculator:
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
OWASP Top Ten Project:
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
In the calculator, you can hover over each selection to help understand what each metric means. I have used this tool at times to understand specific vulnerability scoring for assessing potential risks to my computing activities. I have used the calculator to score specific vulnerabilities discovered through scanning tool activities related to SAST, DAST, etc. The tools used to determine vulnerabilities will sometimes rank findings higher and/or lower than a specific implementation would rank, so the calculator has helped in proper risk assessment.
Example: I set up a test network with no Internet connectivity, LAN and wireless access, and hosting a Test Desktop and HP TouchPad devices (some are dual-boot webOS/CyanogenMod and at least one is dual-boot webOS/LineageOS). The Test Desktop runs scanning tools and comes across a vulnerability specific to the version of CyanogenMod in use. The vulnerability is ranked HIGH but my scoring shows LOW due to use in a TEST ENVIRONMENT and NO INTERNET ACCESS. It does give more impetus to migrate from CyanogenMod though!
I hope this information is helpful.