Nothing new here...unfortunately
The article just rehashes all the talking points that those of us in InfoSec espouse and that falls on death management ears. Management just doesn't want to spend the money, generally speaking. And when they do, they think that they can just throw money in an IT pot and magic will come out without any follow through, day after day, year after year.
My personal thought is that we as InfoSec professionals - who really "get it" - need to be more adept at selling our ideas to MBA types that run the company. In some ways, I think we as a whole must be failing to a certain extent, when we go to get "buy in" on our ideas. Supposing we have a good case for some security measure, hiring of more employees etc., we need learn to speak the business language of these MBAs in order to get our point across...prior to the exposure and loss of critical data. Anyone can be convinced to increase IT security after a hack and loss occurs. As an aside, maybe we InfoSec folks need to hone up on our business skills so that we are the best candidates from senior management and HRs point of view when it comes to putting in place the next manager over IT/IS assets...we need to fully understand that which the MBAs do in order to talk the talk with them when it comes to management of folks - so called, "soft skills" - , finance etc.