It's much cheaper and easier to purchase insurance against the costs of an attack or breach
...right, which'll result in an Insurance Institute for Cyber Security (ugh) which'll mandate certain precautions in order to reduce losses. Insurance will be the driving factor in determining which controls work, and any CISO would be an idiot to buy insurance and not implement the controls the insurers want.
When it is incorrect, it is, at least *authoritatively* incorrect. -- Hitchiker's Guide To The Galaxy