Minimal PoW is enough, we assume that there exist a constant flow of new transactions which is a pretty reasonable assumption.
Security of Iota relies on assumption that an adversary controls less than 50% of hashing power. This is a standard assumption in cryptoindustry. Bootstrapping period will be protected by checkpoints.
So for a transaction to be considered confirmed, the number of approving transactions multiplied by the minimal PoW must exceed the maximal possible adversary's PoW?