Often, the users of security tools treat security tools like magic boxes. An example of this would be a technician called out to diagnose a misbehaving computer running an antivirus scan, getting no results, and asserting that no malware is on the system.
The problem is that malware may not be picked up by the antivirus software for a number of reasons, and the technician not understanding the inner workings of the tool they used to scan the impacted machine. Smart attackers know how to evade detection and operate within areas not scrutinized by security software to achieve their objectives without being detected.
Another example is a network technician responsible for a NIDS making a similar false negative assertion if they don’t see any alerts within their tool without knowing what it is actually looking for. They simply assume that if nothing is detected, all is well in the cosmos. They shelled out a lot of money out of their budget for the tool, so it must work after all!
Another example is security appliances on the network never getting patched or maintained. Administrators erroneously assume that if its a security product, the vendor must take security seriously and the device is protected by an impenetrable cyber force field. These devices are often neglected and the subject of security vulnerabilities.