What would you propose then?
The biggest bang for the buck on security spending are on relatively simple things like:
1.) Data classification and policy - what types of information are allowed where, who can access it, what handling policies apply, and what the consequences are if someone does something stupid in violation of said policies... like copying an entire repository of confidential information to a laptop or thumb drive
2.) User training on data handling policy (1), common data breach scenarios, and common social engineering techniques. This has to include, but usually doesn't, informing the users that they could be held liable, have their employment terminated, or in the case of classified goverment material even face jail for failure to follow policy. That's not to say that you will actually follow through on the threats, but many organizations view data security as an IT-only issue.
I'd guess that, incident wise, probably 95% of data loss is the result of sloppy data handling (putting sensitive information in unsecure, vulnerable locations), intentional mishandling of data, automated social engineering exploits like the "Here You Have" virus from a week or two back, and other types of viruses/malware.
That last 5% - or whatever the real percentage of skilled, intentional, targeted attacks is... like the Aurora attacks against Google - is where things get more difficult and potentially much more expensive. That's where you start talking about enhanced physical security, network segregation, disabling USBs, stateless OS, IDS, advanced encryption, etc... but it still doesn't need to break the bank. Locked down, physically segregated classified networks are as old as networks themselves and can prevent probably 4+ of that last 5%... with the "last mile", so to speak, being physical exploits of classified WAN links.
Of course, that's a vast oversummarization and even with a "bulletproof" architecture data can still get out. The point is that significant gains can be made in an organization's security with relatively simple and cheap methods. Start with A (data security policy), then B (user training on policy), and take it as far as you can reasonably afford to go. Just don't start at Z (quantum encryption), and work your way backwards.