When Nighthawk214 wrote that security wasn't hard, he wasn't wrong, but he was incomplete.
Security by itself isn't necessarily hard. If I want to secure data that I won't need to use without 1 business day's notice, I can just take two disks, each with a copy of the data, to my bank and put it in the safe-deposit box. Not hard at all. With a little extra effort I can encrypt each with a one-time pad and put the 4 disks in different banks.
Security with online or near-online usability requirements by a large number of people is harder/more expensive, and the more usability you want (just a few key employees at one physical location? all employees worldwide? customers too?), the harder/more expensive it can get for a given amount of security.
Yes, for some applications the level of security you need and the level of usability you need do make it a hard/expensive problem for that use case. But if you are at that point, you've probably determined that lack of security and/or lack of usability is more expensive or you wouldn't be going down this path.
The big problem I see in industry is people incorrectly assuming that it's cheaper to skimp on security than to pay for it up-front. A smaller problem is people over-doing it on security, spending $BIGBUCKS to prevent and mitigate a disaster when the actual cost of a compromise multiplied by the risk of that compromise is known to be well below $BIGBUCKS - or it would be well known if they bothered to spend a little time analyzing their particular risk environment.