key management: is there really any safe way to store an encryption key?

I know several ways to store an encryption key, some very bad, such as in your code base or elsewhere on the same server, and much better, such as when encryption / decryption is removed from your application or linked to hardware specific (for example, with an HSM).

I am surprised that whatever method is used, if an attacker gains access to his code base, he can simply write a script that decrypts and exports the database.

Obviously, keeping them off your server is very important, but am I missing something obvious in the scope of what was mentioned above?