won't happen
Beancounters are beancounters. And security is a cost, with no upside.
It is very, VERY hard for IT folks to put up reasonable numbers for risk, exposure and the like. Beancounters know about buildings and fire risks, and accidents and cost of insurance against that, but nothing at all about risk and exposure for information systems.
In addition, much of the cost of breaches is NOT borne by the company. If your credentials were compromised at Target and your identity stolen - do you think they will compensate you for a couple of years of effort to straighten it out? No, they do a deal for "monitoring" at low cost to them, and this only alerts you after the fact that you have a problem. Nothing preventative at all.
So, try as they might, IT managers have little success in showing Boards the real cost of a breach (except in banks, I guess). And until that changes, Boards will spend less and less on security.