Quantitative Security Metrics: Unattainable Holy Grail or a Vital Breakthrough within Our Reach?