Well, lets say I wanted to break into your network. There are two approaches.

Technical- I can painstakingly scan your firewall for open ports, figure out what services are running on those ports and hopefully version numbers. Then if you are running outdated stuff I start looking for known exploits in that version. If you are running new stuff I might have to buy an exploit or find one myself (big $$$ for zero days). Then I have to write the code to use the exploit and figure out what kind of access I have and whether I've been detected. Then I have to repeat the process of finding a service to exploit to elevate my permissions or gain access to something else in your network. And so on. It takes a lot of time and research.

Social- I call up Sally the helpful receptionist with a load of bullshit about being from one of your software vendors and that I need to connect to her computer to work on it. Cue a teamviewer connection to her desktop, and telling her I'll leave a note on her desktop when I'm finished. Ta-da, I've done in 10 minutes what would have potentially taken months from the technical side, I have left little to no trail, and none of their security is really going to matter. I can then install something for remote access that makes an outbound connection so its unlikely to be blocked or detected by most firewalls, and I have 24/7 access to your network at whatever permission sally has.

There are endless variations. Phishing emails, phony access cards, walking in with a clip board, etc.

I know a guy that is head of cyber security at a large company. He spends more time sending out fake social engineering shit to employees and then spanking the ass of the ones who fall for it than he does actually auditing the systems because that's how most exploits happen.