Au contraire, it works very well in many domains of engineering (source: I use it all the time). I suspect you may be viewing the general approach through a narrow lens of one particularly demanding requirement (targeting "absolute security"), and comparing an existing approach with input costs that are often considered high or unrealistic (eg. specialist manual configuration).

For example, if the target system is a software system, and the baseline is "no extra security", then running a full codebase coverage test battery across software with network activity monitoring, computation monitoring, memory monitoring, kernel API monitoring, filesystem monitoring, etc. is going to get you a really strong profile of what isn't used to reduce the effective attack surface. This can be done at multiple levels: system API restriction, filesystem restriction, resource restriction, firewalling, VLAN segmentation, intrusion detection system ruleset generation, etc. This is awesome versus manual config, as it is free, precise, adapts with upgrades once plugged in to CI/CD, and requires zero specialist humans... who often function to perform similar processes in an iterative fashion on a best-effort basis.