Whilst it is ideal to have those who hack into your machine to be put in a cell, what good will it give you if s/he has done significant damage already, right? Prevention is the first thing to do, of course. In most systems, SSH is one of the services that is open to allow for remote access. Whilst it is secure, the software is not always 100% perfect. Your SSH deployment is only as good as the latest patch. So as vulnerabilities are discovered, hackers are often quick to take advantage of lazy system administrators who take forever to get their machines patched. How do you protect yourself against this situation? Yes, don't hire lazy administrators!. However, you can add a way to contain the hackers to a sandbox, where s/he cannot do harm to the entire system.
Whilst this does not guarantee a 100% secure system, it does help you get closer to that ideal. :)