Here is an insightful post from Jeremiah Grossman blog. As he says, often people recommended fixing the simple glaring vulnerabilities - low-hanging fruit - after a vulnerability assessment.
And then he makes this bold claim: 'eliminating the low-hanging fruit doesn't really do much for website security.' He then explains that this is because the role of 0days is much higher in web hacking compared to platform hacking and removing simple problems just means that complicated ones are sure to be exploited ...
It does seem to make sense! So, in this case "better than nothing" strategy gives you just about the same stuff "nothing" strategy aka "close your eyes and go."
Those doing risk assessments should definitely pay attention to this!