Pseudonymous audit for privacy enhanced intrusion detection

Security baselines have provided some guidelines to these organizations on which controls are, under general circumstances, the most effective to install to provide and acceptable level of protection. If an organization requires a higher level of protection in certain areas, a risk analysis can be conducted in those particular areas. As security baselines improve, the need for a further risk analysis will obviously decrease.

Will a situation arise where security baselines are so extensive that no need exists for any further risk analysis exercise?