I think his point is that even billion-dollar enterprises, who can well afford to hire entire teams of information security and risk management professionals if they cared to do so, frequently don't bother. While IT in general is seen as a cost center and is often woefully underfunded, it at least exists, because management recognizes at some level that without employees to build and maintain that infrastructure, they wouldn't be able to check their email or load up their dashboards and revenue charts. Information security has no such tangible or visible benefit, and thus falls into the category of "why would we pay people for that?"
The Sony case is interesting because this time around, unlike TJ Maxx, Target, Home Depot, et al it wasn't millions of faceless plebeian customers who got fucked over. No, this time the victim is the company itself. Nobody's going to fix this by issuing a boilerplate apology and offering victims a free year of useless credit monitoring service. The corporation is the one suffering (oh, the schadenfreude!); this actually scares enterprise management types, it's a threat that can be quantified. Sony's misfortune comes with the benefit that it's certainly cajoling a few other companies into taking a second look at their own security situations.