Actually, the maths behind it is both simple and complex. It's "rather easy" to implement a basic penetration system that'll generally do well at calculating theoretical numbers. Where the system itself get's complex is the point when you start implementing things like variations in the armour and round quality, shattering, spalling, APHE bursting charges, effect of different angles and hardnesses of armour and it's effect on different rounds etc.
Look here for an easy to use calculator that needs only a few inputs on the geometry, hardness and density of the penetrator and the same for the armour.
[url]http://www.longrods.ch/[/URL]
The real problem is the difference in data available to feed into the system. For instance, every major nation used different quality ammunition for their penetration tests, had different criteria as to what a successful penetration actually is, used different hardness targets, different target angles, etc.
Now all this theoretical data has to be analysed and "evened" in order to get somewhat accurate results. And this was done the combat accounts start rolling in. And then you find a test that will throw over half of the other tests you based your data on. Alan's job definitely isn't easy.
tl;dr version: All Data has to be "evened" out and interpreted, resulting in EVERY penetration system with real world data being different and possibly being incorrect. The only way to make the system more realistic is by matching the results of your system to other systems and RL tests and then adjusting the data accordingly.
If your system says that a tank can't be penetrated by a specific round at a very low distance while another system says that it can be penetrated at over 9 miles, there's something wrong with either one or both of the systems or the data that was fed into them.