Cure or safety blanket?
I think the reason that the uptake is so low is that nobody can make a good financial case for additional security.
It's all very well bringing in someone who'll wave their arms in the air and scare you with apocryphal stories that don't have enough detail to be useful. But when it comes down to it, these SMEs will ask the following:
* What will it cost me?
* What financial savings will I make ?
* What guarantees can you give me?
And, like all things to do with IT security, there are no solid, consensus numbers. No formula. No certainty. So there will always be some companies - usually the ones that have suffered a major incident - who will be receptive, most will have more pressing, tangible, objectives for their budgets.