Unless the law mandates it and provides harsh penalties. Health care and financial companies, to name two industries, spend billions every year on security and privacy.
Spending billions != importance, especially if as you state it's mandated by law any way.
I wouldn't disagree with you though in regards to a large proportion of companies in those two areas. I however was specifically speaking of the other industries, the majority of which still see IT as an unnecessary expense and anything more than "new password every 30 days" as an inconvenience.
I don't know how I can generalize my experience but the research facility I work at prohibits use of Gmail (as POP3 client), AppEngine is completely out of question. Maybe it is less important if the company itself is in the US...