Any cryptographic system can be attacked succesfully with enough of effort. The real question is how much work it takes to break a system.
Such workload can be measured by number of steps, be it computing a single encryption or merely looking something up in a table or perhaps something else. Step can be executed by a computer in a very short time, to the extent where a factor of a million is not terribly important.
This concept of security level is only approximate, we only measure the amount of work the attacker has to do, and ignore things like memory or interactions with the attacked system. It's useful approach because of it's simplicity (better to isolate problems and solve one at once).