Good thoughts
Bruce, as usual, has the nub of a good thought and is directing it at a specific niche in the market.
"The field of information technology security is so complex that purchasing decisions are based on feelings and hunches rather than reality," is true but is not, in itself, the truth. The field of information security is certainly complex but in my extensive experience it is made more complex - not by buying decisions based on hunches - but by too many enterprises refusing to take a rational approach to managing the problem.
Let's not invest in process and structure to manage security. Let's, instead, focus on spot solutions to symptoms and fling bits of kit and gollops of software at the network. (rather like trying to cure smallpox with the application of Nivea). This demonstrates the we're Doing Something Tangible, keeps us solution-addicted security managers in a job and avoids having to spend actual money deploying actual long-term solutions based on actual (expensive) experience and knowledge.
I imagine Bruce had this at the back of his mind when he made these comments but, because of his position, is unable to articulate the thought. Unless and untl businesses and other enterprises accept a structured, well-managed security program as a cost of doing business then we'll continue throwing crap at our networks and using crossed-fingers as our main security posture.