Sure, but prioritization is important here too. I would rather work on detective controls first and identify the large attack surfaces / weakest links, and only much later look at system hardening. (But to clarify I don't consider things like patch management to be system hardening)