In games, your protection against attack is usually represented by a single number. You have an armor rating; maybe it’s 1 if you’re wearing ordinary clothing, but 3 if you’re wearing leather armor, and 10 if you’re wearing a plated spacesuit. If you put on a helmet, it improves your armor rating by 2; and that applies even to blows that would hit you in the belly instead of the head.

In the real world, protection against attacks doesn’t work like that. Putting a helmet on protects your head, but does nothing to protect you against getting clubbed in the belly. Armor protects what it covers; it doesn’t grant you a static percentage chance to deflect any attack.

Computer protections are like that, only more so. If a server does not receive email, then it cannot be attacked via email. If it is only exposed to web requests through a reverse-proxy, then only those requests the reverse-proxy accepts can possibly attack it.

The most vulnerable systems are those that have to communicate with a large number of other systems, including business partners, consumers, governments, etc.