How long ago was this talk? Only in the past year or so have power plants been subject to mandatory Cyber Infrastructure Protection standards (CIP standards -- another acroynm to impress your friends with). Another set of standards is set to take effect January 1, 2010. The new standards require maintenance of a physical permimeter around all critical cyber assets, as well as controlled computer access. My experience (with a large company owning generation stations) is that cyber security has come a long way in even the past six months, and that your auditor talk may be slightly out of date.
Also, my own personal opinion is that several of the DHS "studies" of grid vulnerability are not entirely reliable, and in some cases were fairly overblown. It's one thing to "attack" a power plant in a controlled laboratory environment, and another to execute such a scheme in the real world.
That being said, there is always room for improvement, and it's something we take seriously. And all of the incentives are to improve security. First, the plant loses money every time it don't operate. And not just immediate revenues, but future revenues are often based on past on-line performance metrics. Second, a cyber attack could cause millions in physical hardware damage -- these are incredibly complicated machines, and one little disturbance could cause serious damage that could keep it off-line for weeks or months. Third, in some cases, power plants are subject to up to $1 million a day per incident in fines if we don't comply with cyber regulations.