Depends on the industry. Yahoo? will pay $0 in fines for their breach. If you were a hospital you'd see $50k per patient, which adds up quite fast, and doesn't include stupid things like credit monitoring.
Good infosec doesn't cost a lot - the problem is no one gives a shit until after something happens. Then you shit can your CISO, who you ignored the entire time, because you need someone to take the blame.