Absolutely true. Companies these days are like 9th century coastal villages in Europe. Snakeoil vendors are selling magic potions and amulets to the village inhabitants promising to ward off evil. These villages may have some security people. These security people might be diligent and hard working, but when a horde of vikings appear on the horizon there is little or nothing they can do.
We need to withdraw to fortified castles and towns. Centralise our security resources and, instead of making holes all over the corporate networks, ensure that there is only one way in and out. Monitor everything going in and out of the corporate network through a single chokepoint. If you want to set up your business outside the fortified walls, you take your chances. It won't stop all attackers, but it will stop most.
There simply isn't enough good security people, and those that are out there are scattered working with multiple companies - the attackers have all the advantages at the moment and it is only getting worse.