I've never understood "defense in depth" to be in the context of a single application. Rather, an entire network will have "defense in depth" if it has such things as a firewall with proper rules at every gateway, machines with proper virus protection that aren't running silly services, and users with proper responsibility to not run things sent to them via e-mail.

In that context, if a supposed "hacker" wants to gain access to files on machine X, they may be able to penetrate gateway A, router B and firewall C, but they still will be blocked by NIDS D or end up in honeypot E.