It's much cheaper and easier to purchase insurance against the costs of an attack or breach
...right, which'll result in an Insurance Institute for Cyber Security (ugh) which'll mandate certain precautions in order to reduce losses. Insurance will be the driving factor in determining which controls work, and any CISO would be an idiot to buy insurance and not implement the controls the insurers want.
What ever you want is going to cost a little more than it is worth. -- The Second Law Of Thermodynamics