My take as an attacker: it goes directly against the security 101 of "defence in depth". Sure, we only have to win once for a specific step, but then there are more steps to complete for us to reach our goal. This is the same for most occupations that I can think of anyway, no one reaches their goal with one step.
I understand that this can be taken to mean there are multiple avenues to achieve a certain objective (e.g. I can find a password on disk multiple ways), but I still wouldn't agree. Develop a defence that makes sense (e.g. MFA is a good mitigation for password theft). Detect / alert on the usage rather than the endless list of methods to retrieve a password.
It's still a "loss" from the defenders perspective even if someone can't compromise other systems. The defenders still need to assess the damage, fix the vulnerability, and verify that nothing was compromised regardless of what protections are in place.
For example, maybe the attacker is after trade secrets but compromises the CMS (content management system) of your public website. It has no connection to your intranet, but they were able to change download links and inject scripts for visitors of your website. Still a "win" as they now have a place to pivot from or just use to their liking. It gives the attacker options while your system is left weakened with less options.
