"This means our software is behind the multiple layers"
Can't this people understand their system could be still vulnerable to insiders attacks, or from other compromised systems inside the network with some kind of access? Or they really believe the only attack vector is a browser pointing to "malware.biz"?
Many successful attacks to valuable payloads aren't made with a single direct attack to the system storing them. I wonder if all they know about attacks is from Hollywood movies.