How much security is enough?

As a security engineer, I regularly work with developers. Together we draft various ideas and try to find the best possible solution to the problem at hand. During this process, the following question