John Robb nails why computer security is hard. The connectivity and relationships across the Defense in Depth layers means that this scenario is achievable:
In Blitzkrieg warfare, the point of greatest emphasis is called a schwerpunkt. It is the point, often identified by lower level commanders, where the enemy line may be pierced by an explosive combination of multiple weapon systems. Once the line is pierced, armored forces dive deep into enemy territory to disrupt command, control, and logistics systems. Once these systems are disrupted, the top-heavy military units they support collapse in confusion.
The "line" that may be pierced in computer security could be a physical, host, app, network, and/or data element. Once the breach is there, a skilled attacker may use this beachhead to launch further attacks that are aimed at the control environment. This is why threat modeling is useful, but does not provide sufficient analysis to construct security architecture. Clausewitz counseled to be "strong, first in general, then at the decisive point." So, in one simple example: your Web Service's WSDL is likely not an end goal for an attacker, but you should still put SSL and other controls on that puppy, because that WSDL is potentially the attacker's interface as much as your Web Service's.