That's right. Security works. Your enterprise security program works.
Consider the following question. What part of the attacks that hit your perimeter does it resist?
a) None of them
b) Few of them
c) Enough of them
d) Most of them
e) All of them
Most of you said "c" or "d." We call that "working."
A few of you may argue that only "e" can be called working, to which I respond, "Be careful what you ask for, you might get it."
Do you know how to resist even more attack traffic? If that were the only objective, of course you do. You do not do it because resisting attack traffic is not the only objective. Even resisting "most attacks" involves at least slowing, if not rejecting, some legitimate traffic. It may also involve tolerating a resourceful attack.
Said another way, within the tough choices that face you, the security perimeter is doing what you intend. We call that "working."
Security is a hard problem; there are no perfect solutions. It requires the exercise of informed judgment. That is why we are called professionals and are paid the big bucks. Such as we are and given the conditions that we face, we do the best we can. That is called "working."