Companies spend money on security when:
- They have a security incident.
- They have to comply with a regulation or mandate.
- The lack of security affects availability.
I don't disagree with this at all. But if true, I must be lucky. Where I work, most of us believe that as custodians of other peoples data, we have a professional and moral obligation to protect that data from exposure or alteration. We also believe that as custodians of other peoples tax dollars, we have an obligation to make wise, frugal choices on what resources we spend protecting other peoples data.
I like it that way.