you are right.
The first stage of sending is that your bundle gets constructed, your transactions get signed and you do PoW and confirm two previous transactions. After this point, nobody can change or cancel any transaction.
The second stage is the confirmation of your transaction, which might happen fast or sometimes slow and maybe require reattaching (as you experienced yourself
It is possible though to create invalid transaction bundles, which will complete stage one but then never complete stage two.
One example is Oups' case here: https://forum.helloiota.com/19160/480-Mi-lost-in-Tangle
That's one reason why it's important to improve confirmation times and hopefully get rid of the need to reattach.
And then, something that could prevent a valid transaction from confirming after stage one has been completed the coordinator being switched off.
No coo, no confirmations. So for now, businesses (any everyone else) has to trust the coo.
That's just a few reasons why IOTA is not fully production ready yet, but all these things are being worked on.
Coordicide will be a huge step to finalizing the protocol and it will be very exciting to see how things proceed!
I wouldn't be able to help anyone without thetangle.org-explorer. If you feel like you want to support its developer Mathieu Viossat in maintaining his service, please consider a donation to the address shown here: https://thetangle.org/about. Thank you!