Security is about the following: If an attacker perform some unexpected action, where there’s an infinite number of possible inputs/actions, the system must not do any really bad action.
This is a black-box statement. We don’t care about the internals/syntax of the problem’s nature. We only care about the output: whether a system is secure.
Further, we know that there are systems that are insecure, and some that are secure, e.g. a program written in a memory-safe language vs. a program written in a non-memory-safe language, assuming that secure refers here to the property of a system being memory-safe.
This is a non-trivial extensional language property. According to Rice’s theorem, this implies the undecidability of security properties. Hence, we can conclude that security is hard.