Making sure that access is properly controlled and that code cannot be subverted for unintended purposes is only a part of the concept of security. Ensuring that you can recover in the event of some unforeseen circumstances or an Act of God, as the insurance companies like to call it, is all part of an integrated security policy. I'm sure many of you, as have I, have worked on a document when for no reason the application simply packs up and says something suitably terse like I am going to close down and ensure that the last three hours of your hard work will never be seen again <insert evil laugh and fade to blue>.
Well, if this has happened on a document, then you can imagine the amount of anguish you are likely to experience when the last three years of sales information along with your configuration settings and database are erased by a ten year old kid who has breached your security and wiped the slate clean. Without a proper disaster recovery policy it is...