Prevention is orders of magnitude less expensive than dealing with the fallout from an eventually inevitable atack.
The tragedy is that in the absence of attacks, local governments don't always allocate the necessary funds to employing competent admins who take a proactive approach to security.
Even more importantly, these admins need to be given authority to block attempts at lowering defenses in the name of convenience or "money-saving".
The problem is that lowering security expenditure is a good gamble for managers/executives: Chances are it will take a while before things blow-up.
In the meantime, you get the credit for "saving money", you will get promoted, perhaps move to another company, and the bomb will explode in the hands of your successor.
Depends, but usually the problem is that it is difficult to properly assess the probability of a successful attack and to get decision makers to believe that number.
The tragedy is that in the absence of attacks, local governments don't always allocate the necessary funds to employing competent admins who take a proactive approach to security.
Even more importantly, these admins need to be given authority to block attempts at lowering defenses in the name of convenience or "money-saving".