Except there tends to be a large cost assocaiated with it, unless your dealing P2P Encryption devices which are completely devoid of your network infrastrucutre. For instance:
Take a new merchant installing software for the first time, lets say its a SME with 300-700 people.
There is a good chance that:
1) The have no one trained on security nor staffed by security.
2) Don't have the network configured properly for PCI.
3) Are about to scream at the software vender when they need to improve the network.
So lets start by the first most obvious and basic requirement. A firewall. Now, most companies have one at the edge but not all have two or three doing DMZ work. If the only have one you have really three choices.:
1) Segregrate off a port on the current one (If you have the ability too, I'm thnking UTM's) works ok for smaller deployments,
2) Purchase another FW for DMZ (A requirement for PCI, but more than I care to explain)
3) Bring in a separte ISP line and add a firewall.
Were trying to keep it cheap so lets say we have a FW in place and have ports we can use off the FW for DMZ work and segregration requirements. Right now were running on our admin time (a cost I'd assocate with any project). We now must consider our servers.
Physical servers are actually less complex regarding PCI IMO, but even smaller SME are virtualized so this tends to be either an additional cost in hardware, or we need to go through the process of configuring our Virtual Environment, which with virtual you run into the problem of PCI servers and non pci servers on the same hardware. (Larger facilities can afford to have dedicated VM hosts for PCI VM's, SME don't really.)
I could keep going on this, I see it every day. We havn't even got into the cost of having a QSA come in, or the added requriements for remote access (most SME's I come accross don't use two-factor) and being SME's with no security professional or trained staff they don't have:
1) An Information Security Charter
2) Don't perform risk assessment, vulnerablity assesments, or gap analysis
3) Have no method for Incident Response
4) Have piss poor physical access
5) Have no documentation on log analysis, network maps, etc
So,cost tends to be a big point.