Yes, indeed - no system is 100% secure, especially if connected to the internet.
You don't even need to be connected to the internet - but it helps.
I hired a penetration testing company a few years back to test one of our secure "sand boxed" systems. When they found that the network security was pretty good (not perfect), they hired an actor, mocked up a security pass and charmed their way into the office building, where they found a desktop computer turned on and somebody had popped out to the loo... The rest is history.
The data security team at my place work very closely with our cloud provider - who themselves are pretty good - a well known, large company, and certainly not the cheapest, so we get to understand some of the attacks and some of the things that we and others are doing about it. As Ops here have posted, these attacks are becoming very sophisticated, and the people developing the tools can make millions. Microsoft and Apple both pay up to $200,000 to anyone who makes them aware of a vulnerability in their systems, but people develop these exploits can make more selling to criminal gangs.
We don't use tape backup - we considered it - but the sophistication of some of the malwear means that is lies dormant or more perniciously sltowly affects data and systems so you don't notice it is there for months, and by then the tapes themselves are corrupted. When you are dealing with peta-bytes of data, tapes are not useable in any case.
So as people here have said - from my perspective - it really is a war between the technical teams to stay ahead. I'm not going to go into details (because most of them are way too technical for me) but we use tools like AI (machine learning) which analyses data access patterns and looks for anomalies in both data and executable code - give aways include changes to historical or static data, access from unusual sources, patterns of data change etc. It is an industry in its own right - and as we are a data driven organisation - like many, it costs us a fortune, and we know we are far from immune.
The security advice I have been given by a company who shall remain nameless was that we don't need to always beat the hackers, we just have to be a hard enough target so that they prefer to attack someone else. Sounds quite mercenary doesn't it?
I know little about trains, other than I use them and I am a geek and enjoy reading these forums - but enterprise IT is something I do know a great deal about. Flowbird have my sympathies.