In my experience it is one thing for a company to pay for, and deploy, a set of complex security products that combine to give a good view of what is happening on the network, where the gaps are and first line response tools etc.
It is quite another to make those tools work. By which, I don't mean just keeping the boxes up and running, but actually using the intelligence the tools provide in a constructive manner to secure the borders etc., especially in a large and complex organisation with many different trust zones.
Most of these large companies are buying this stuff to defend their crown jewels, but forget that their support models are all based on volume & 24/7 response time type SLA's etc. when what these types of products need is a Rolls Royce support solution that hasn't been fashionable in IT for nearly 20 years.
It requires a combination of product expertise and knowledge of the environment. Add to this a focus on the task at hand (rather than being a part time 'focus' group or whatever) and enough bodies that if someone leaves it doesn't leave a massive knowledge gap in your defences.
The business procedures also need to be aligned to allow the (hopefully properly tuned) alerts to get to the right people in the right kind of time-frame to make a difference to the response and how effective it will be.
None of this is cookie-cutter stuff, and the quality of people required to do all this properly for a set of 6 or 7 interwoven security tools means it is hard to achieve without some form of internal training from the people who know.
At the end of the day, to do the job properly it costs an awful lot of money (not just the equipment, licenses and support) to keep the engine tuned and working efficiently, money which is hard to come by on an on-going basis (as opposed to the upfront costs of setting it all up).
Unless you are a critical infrastructure provider, or a defense department skunk unit, it is probably more money than can readily be justified.
In the end most of this stuff ends up as shelf-ware, sitting in the network with no-one looking after it (or even looking at it) - which means all that up-front money was wasted.
A lot of companies buy the stuff without realising the support commitment involved. Just one of these products can be a bitch to maintain, bundle a whole load together and you are asking for trouble unless you know what you are about.