You raise many valid points. Even physical defence is harder than offence... thus the basis for the MAD philosophy of the Cold War era.
I find it interesting that the likes of NSA, GCHQ, et al, are not assisting our critical infrastructure in testing. Penetration testing seems to be the bailiwick of private firms and I would think they don't have the tools of the big 5. Rogue states are a problem just like the rogue terrorist... unpredictable in when and where they will strike. OTOH, I can see why the big 5 are not doing this since there's so damn many companies that would need to be tested.