I wonder if the spate of massive hacks which show how porous most big organisations are will finally show how much of a pile of crap our security approach is.
Big company security is all audit and compliance carried out by not very technical people so it becomes about process rather than protection. A bit like getting a girl to sign an STD waiver rather than just wearing a condom.
In the last two big organisation I have worked there have been big holes with easy and cheap fixes but the security folks won't look at it without a project code and without their approval you can't make the change to close the loop.
In another organisation the security team spent a huge amount on PCI DSS consultants but wouldn't spend the money to replace old Pix firewalls with something that was supportable. That organisation processes credit card info and holds it unencrypted on behalf of many clients you almost certainly use.