Yes, you are misguided, but only temporally speaking. Right now, companies are rewarded for CYA. So they do what companies and MBA dicks do, they pay off the source of the interruption, claim Victory with Honor, and move on.
What may change in the future, and I expect it will, is that the financial repercussions will become so onerous that companies will start to pay dearly for their security screwups. However, a dynamic economy will provide some relief. Insurance companies will start offering CYA Security Insurance, Friend of the MBA in a Jam. That will hold off the stockholders who notice the bottom line...until the hacks get so bad that CYA Security Insurance rates rise to the point that it is more cost effective to put money into company security. That doesn't mean it will be a well-thought out reaction. It will be tainted with MBAitis of trying to get by with the mere will-o-the-wisp effort...until they get really reamed. Then, heads will roll, scapegoats will be found, fired, and given their golden parachutes.
After a long period of this stupidity, company governance will slowly, grinding their teeth, put the money into protecting their asses from security exploits because the wolves on the other end, i.e., stockholders, institutional investors, the Press, etc., will have have sharp enough teeth to take a significant bite out of managements' collective financial arses.
So no, we won't get to roast MBA Weenies on the spit, but we'll at least know which companies not to buy stock in...if we live long enough for it to make a difference.