Very well put, companies should focus on designing secure systems not systems with security. There should be provision for making security decisions based upon business value that is unique to the organisation in the same way that web 2.0 ajax technology delivers a web experience that is unique to the user.
The threats we face are no less than before but as sais malware these days is much more 'run silent run deep' than ever before - there will be no more major worms to make the press but the bad guys will make increasinngly more money, this is a paradox that compounds the problem of getting funding for security ... less perceived threat but more actual threat....so you build secure systems with system funding rather than go for unique budget for security. A good example of this is the drive for PCI compliance - the card payment guys are forcing traders to build secure systems with no sensitive information in the clear so it just gets done that way.
There is a company who is at the forefront of helping organisations understand how to deal with security www.securitymob.com (disclaimer i'm not an employee)