That's _possible_ but fundamentally I'm looking at this from the perspective of requiring new work to be done by expensive people (infosec, dev, ops are all in-demand skills) — maybe some of that comes from changing team priorities, in which case the cost is less feature work, but in most cases I'd expect that to be hiring. There aren't many breaches which have direct costs greater than that because companies have been able to avoid penalties or compensation in most cases. If the cost of a breach was greater than, say, a year of free credit monitoring that calculation could change dramatically.
Ransomware has already changed this somewhat: now the cost is halting operations for a potentially lengthy period of time, and that has spurred a lot more awareness that the current model is insufficient but not from what I've seen significant efforts to change it.
Ransomware has already changed this somewhat: now the cost is halting operations for a potentially lengthy period of time, and that has spurred a lot more awareness that the current model is insufficient but not from what I've seen significant efforts to change it.