It's not a security professional saying this though. It's a politician.
You can never be 100%, you're right. You can be aware of common attack vectors and address them though. You can be aware of what resources are most vital to protect or are common targets in your industry and focus your efforts.
Most people actually in security will tell you the same.
It would depend on the exploit. For a simple example, an exploit that was a result of a flaw in the file specification could result in it being cross platform.
It's going to be rarer to find something of that scope, maybe even to the point of you being effectively right.
The two of you have different priorities. You are both right and both wrong.
It's not really the kind of thing that requires a citation. However it's trivial to Google and see there are a whole range of opinions on the matter.