Re: Defence in Depth is really about gaining time to allow a measured response.
Glad to see others talking about physical security principals with respect to network security. If we want to be frank, yes defense in depth is about delay - with it being the hardest and longest to get to the most valuable posessions. It is one of the key aspects of physical security's four stages:
* Detect - let's you know something is wrong
* Delay - gives you time to do something about the threat before it concludes its aims
* Classify - take a moment to come up with a balanced solution to the problem, have contingencies!
* Respond - act to mitigate/eliminate the threat.
Most articles talk about doing defense in depth, but don't talk about why it's done the way it's done. If network admins considered how physical security handles threats rather than assuming it was possible to prevent bad actors (wise man once said: the only secure machine is the one which is unplugged from any networks, powered off, shredded, then incinerated - and the ashes spread from an airplane into a tornado). The author of the article has a good head-start, understanding what you have and what your risks are - this will help focus the defensive measures towards the "crown jewels". Unique IP, customer data, and electronic business identity (crypto-keys, and the like), are the crown jewels which should be protected at all costs.
Things like the HVAC system are not as sensitive and should not be housed in the same rings of security. Much like a castle would have a town outside the bastion walls which would be abandoned during a siege, as the residents ran inside to help hold the fortification, some parts of a network must be able to be considered sacrificial. You also didn't see a lot of cases where an inner layer was depended on the outer layer to hold up - using the castle reference again, if the castle could only stay secure as long as the soldiers were given food and water, but someone had to go outside to hunt and get to the well to support the soldiers, it wouldn't be long before the castle fell.
A business can probably lose a day of output due to lost productivity (even at a cost of millions), versus having brand damage or IP theft continuously sap trust in an organization. Unless of course losing a day of work is the trigger of said brand damage - see recent British Airways fiasco. That was obviously a serious miscalculation of the risks of each sub-system interacting on combined/simultaneous events - and a further illustration of how each protection layer needs to be self sufficient, not inter-dependent in any way.
It's also important that what is available in outer layers do not become tools for those attempting to overcome the next layer. Have a window to keep people out, but also have large rocks in a planter? That's a burglar's "key". Built a tower to keep knight from getting to Rapunzel, but leave your extension ladder in a shed in the yard? Hygiene is just as important as having the right defenses - if one can't see people walking up to the fence, you can't detect it, thus the delay of climbing over it doesn't do any good. If you clear the trees 1km from the fence and mow the grass, you gain that much more detection and delay capability. Likewise, if one starts looking at the traffic that comes and goes into a facility, control it and filter it - and you will be able to see the obvious attempts to break a window... Being able to define things that shouldn't happen (black-listing) is the result of good planning on what should happen (white-listing). If one has correctly constrained the scope of their environment, anything out of the scope can be considered wrong (attack).