they missed the basics
Two fundamental steps before setting out on *any* programme of change:
* How will we measure its success?
* What value does it have (i.e. how much are we prepared to spend)
Now I know that "security" is one of those icky, intangible things, like fun or quality or safety. However if an organisation can't quantify its goats, it will never know when they've been met. How will the organisation know when it has enough security? Or too much?
So far as value goes: you really do need to quantify this. Are you willing to spend 100K to secure your data - and which pieces of data, exactly? Until an organisation is willing to pledge real, hard cash to improving security (or anything else for that matter) it's not really taking it seriously. Another measure of seriousness is who gets fired if something goes wrong? If it's merely a little manager somewhere, that smells of scapegoal - it's down to the seniors and directors to carry the can.
Personally, (god forbid) if I was a CIO worrying about how to secure an organisation, I'd give serious consideration to finding out how many problems were down to the staff, and what would be the worst thing to happen if they all had internet access removed, forever.