"Not really. He needs experience in thinking things through (a mathematical mind can help a lot), minimizing what is confusingly called "attack surface" and needs to have an array of goodies at his disposal to perform defense-in-depth"
Exactly.
A lot of companies don't put any thought into security at all. Just tick the box "yes, we have anti virus software" and then move on. It's absurd, because I consider it a good day if AV catches 40% of threats at my gateway.
You don't even need to spend anything to acheive defense in depth, it's possible to do with no spend. How do you threats come in?
Via email? Stick in a copy of Xeams for anti spam and then drop every email with an executable file attached. (and especially executable files in a zip file) Need to receive .exe files via email? No problem, stick an obscure word on a whitelist and then tell people sending legitimate .exe files attached to emails to include it. </end email virus problem>
Via USB stick or similar? Block auto run via GPO.
Want to harden the desktop to the point of invulnerability? No problem. Stick in a Software Restriction Policy via GPO preventing any defined formats (.exe, .bat, .vbs, .etc) from running outside of %program files% and the required network shares. Good luck infecting a computer secured this way, even if somebody has a virus they can't open the bugger. Group Policy & SRP's are of course inbuilt to windows and free.
Worried about Macro based attacks in MS Office? Set a group policy for office setting Macro security to medium. (requiring people to enable macros for each document)
Worried about people embedding a flash file a word document? Use Microsoft's (free!) Enhanced Mitigation Experiance Toolkit to prevent flash running from within certain programs.
Virtually everything you need to harden a network to the point of complete invulnerability is available free of charge.