I am debating with a friend about the security of a building lock that uses four user-selected digits as input. His argument is that it's enough physical security to deny someone access long enough for the people inside to take whatever action they want. I argue that because there are about 200 people who have access to the building, and they all set their own codes, probably dates of some kind, entering a few random numbers will open the door quickly enough. There is no lockout mechanism on this door.
What is the correct way to analyze this problem?