You conflate so many facets into an hopeless image. Yes, all research facilities are potential targets. Yes, it's wise to assume that no single one can realistically deflect a full frontal attack from a state agent. But each possibility doesn't happen all at once because resources are limited. It's like saying you can't defend a country because each of your soldiers is mortal.
A large part of cybersecurity is removing the low hanging fruit (eg. Gitlab's recent phishing test). The current stakes might probably target an unprecedented level of attention towards research facilities where people weren't concerned about all this stuff, and it's safe to assume aren't experts in the matter. So there's probably a lot that can be done to strengthen the security landscape, making life difficult to attackers, and generally consuming their attention and resources, resulting in a net positive. Even if each one would still succumb, maybe fewer will.
A large part of cybersecurity is removing the low hanging fruit (eg. Gitlab's recent phishing test). The current stakes might probably target an unprecedented level of attention towards research facilities where people weren't concerned about all this stuff, and it's safe to assume aren't experts in the matter. So there's probably a lot that can be done to strengthen the security landscape, making life difficult to attackers, and generally consuming their attention and resources, resulting in a net positive. Even if each one would still succumb, maybe fewer will.