While I agree 100% with what you're saying, I think the problem lies in the fact that there is no consistent, *external* measure to indicate your security level, and that's where things fly off the rails.
There are things like SOX compliance (in the US, anyway), but that's more for auditibility than security. What is the minimum required aspects your infrastructure has to have to be able to say that you're considered reasonably "secure"? Encryption of all data stores using an officially recognised encryption scheme? All logins for all devices managed through kerberos? All communications between devices must be wrapped by SSL?
I don't know if there's an ISO standard or something that mandates these things, but it sounds to me that until there are some clear minimum requirements to indicate securedness, this all seems like nothing more like a license for insurance companies to print money on the backs of their clients.
One will *always* be able to give some hindsight response whenever a breach occurs... to the point where companies would have to lock themselves tighter than Fort Knox before they *might* be able to squeeze money out of their insurance provider.