There are plenty of "theories" in security - like how to prove a system is secure. And guess what? They never work.
The problem with theories is that they tend to look at a certain set of factors. Pieces, inputs, outputs, calculations, etc. But it turns out that in security, the most dangerous problems are the ones that you don't realize exist (until it's too late). In other words, abusing the system.
A good example is threat modeling. I want a shirt that says, "I'm not in your threat model" - implying that your threat model doesn't (and can't) cover a sufficiently creative hacker.