The truth is most firms, at least those I've worked at, don't really care about security. They just want to appear that they care. Security is hard, and you have to be vigilant. Pretending to care means you buy some overpriced appliances and software that no one manages. When the sh*t hits the fan, you can say "well we did X, Y, and Z but hackers are evil people". The take away story for most people in the biz and the public is not HBGary got hacked and so their security stuff must suck; it's that hackers are a true menace and wild and crazy and won't someone think of the children? So then business people yell at the government and say "hey OMG! We need lots of money to protect your systems and our systems because hackers are crazy". They do this via media so it becomes news stories. Then the public starts asking "what are you going to do about it, government" and the government says "we'll fund the security people to protect your credit cards!" and in flows the money. It's a part of security theater. There are always "new" threats so you can never stop paying for security.
via arstechnica.com