IT security has to be about risk management, not absolute risk avoidance. I've worked in organizations where security paranoia dominated all IT decision-making and it cost them dearly: tons and tons of money spent on IT and all it really did for the end-users was email and the Office suite. The organization had enterprise licenses for Visio, the Adobe Creative Suite, Visual Studio, CASE tools, and all kinds of other goodies, but it effectively took an act of god to get them installed on your machine, so most people just gave up. IT spent all its time resetting people's ridiculously long, impossible to remember, and always-expiring passwords. Right after Windows 7 came out, they finally "upgraded" to Vista. We probably would have been better off with a notepad, a bunch of inter-office mailers, and a nice mechanical pencil.
The cat, however, is out of the bag. The managers and executives who had a little vision (almost all in the business side, almost none from IT) leave the office, use all this cool tech in their personal lives, and start asking questions:
"Why does Quicken give me more insight into my personal finances than SAP gives me into my company's finances?"
"How come I have to send my people to a week of training on SAP anyway? Nobody came to my house and showed me how to use Quicken."
"How come I've never had a virus infection on my PC at home? All I do is keep the OS and apps updated and run a decent, up-to-date anti-virus package that cost me like $50. We spend a small fortune on anti-virus software at work, IT has gotten so paranoid they've disabled flash drives, and we still get viruses all the time!"
I understand that losing thousands of credit card numbers is a Bad Thing. But very few end-point devices, users, or applications should have access to that kind of data. Not even the CEO needs it and a sane CEO wouldn't even want it. For that matter, do you REALLY have to be storing credit card numbers?
Of course, there are other kinds of confidential data. But it would seem to me (as a developer, admittedly not a security guy) that there should be different levels of security for different kinds of data and different applications. Truly confidential data could, for example, require two-factor authentication with a smartcard, biometrics, or whatever. You could require digital signatures and encryption on confidential email. But giving every user a crippled Blackberry to carry around when what they really want to be able to do is see their (unencrypted) work email and calendar on the iPhone or Android device that they love and already own is just not acceptable any more.
Both sides are going to have meet in the middle. Freedom and responsibility go together. Users are going to have to step up, get educated, take more responsibility for their IT, and exercise the common sense that stops the vast majority of common threats like virus infections. IT is going to have to figure out how to be responsive to the users and add value to the business. Otherwise, it's just going to be bypassed, have its budget cut, and, as an AC below said, the business will just go "to the cloud."
Only through hard work and perseverance can one truly suffer.