With Access and Windows, it's all about environment. I'll try to say it without too many stumbling points. It is ALWAYS about risk/reward. You ALWAYS should buy the protections you need to control the risk, and the reward is a working tool to help your organization go forward.
The U.S. Navy had a BuPers (Bureau of Personnel) application that was used to manage medical school scholarships for potential Navy medical doctors. (Navy pays for your degree, full-ride scholarship, if you serve as a medical officer for 10 years.) It was implemented with Access as FE manager and SQL Server as BE manager. It sat behind an isolation firewall that led to a network called NMCI - the Navy/Marine Corps Internet - essentially a private enterprise network - that was not fully exposed to the big-I Internet i.e. "the world." That subject matter meant that they were subject to the USA Privacy Act and, because it was a personnel system, was also subject to Navy regulations regarding security clearances.
It was basically SBU - Sensitive But Unclassified - and FOUO - For Official Use Only. It wasn't quite sensitive enough to be classified as Secret. The lesser level is called "Public Trust" and for much of my career with them, that is the clearance I held. Access to NMCI required Public Trust and was accomplished via two-factor authentication - a physical smart-card reader and a separate PIN. AND it worked over a VPN, which meant secure remote access was possible. As to range, NMCI at one time held the distinction of having the second-largest OUTLOOK address book in the world. I'm not allowed to tell you how many people were served by it (because the Secret-clearance NDA is lifetime), but it was a bunch. NMCI was available in Rota, Spain and Seoul, South Korea plus a few Aussie sites, something from Qatar, and I forget how many other international sites were served by NMCI - but it was massive. In fact, I met Nautical Gent while we were both on NMCI.
This situation passed security requirements because of (a) sub-net isolation (b) higher-level login requirements (c) I don't know how the SQL Server was set up but it was not a passive part of the security. I got called in for front-end diagnosis and trouble-shooting; another team member handled the BE machine. The point being that as paranoid an organization as the U.S. Navy still entrusted Access to drive the FE of a money-and-personal-data app. They did so because it was shielded. It didn't matter that Access intrinsic security was limited. Its external security was top-notch.
On the other hand, even OTC apps could sometimes get fooled when going out through a stateful firewall. One of my colleagues visited the New York Times (on the Web) site using whatever Microsoft was using as a browser in about 2014 - probably Edge - for a news article only to find it had been hacked and contained a malicious link that then downloaded porn to his machine. Took the IT team two days to wipe his laptop and reload it.
There are multiple kinds of hackers. Fortunately for most of us, the most common hacker is the opportunistic "grazer" - looking for any system with weak security. This is the kind of hacker you can dissuade by having decent security. The worst kind of hacker is the "targeted attention" operative, who knows or believes that behind your protections is a treasure trove of some kind. This is the hacker you can never stop; you can only slow him/her down. State-sponsored hackers (Russia, China, and Iran come to mind) are paid professional black-hat hackers whose attention you don't want.
