The problem is typically that the higher-ups in any given company want to nickel-and-dime their IT security, typically only reacting once a breach has taken place... with the constant cries of the security folks falling on deaf ears, yet they're also the first to be blamed for the security failures.