Fact is that breaches are not putting companies out of business. In fact, they are not crippling the organizations in any way, as you can see from their stock prices evolution.
So what? Does it mean that security is irrelevant? Unnecessary? No, it means that the impacts from those incidents have not been as big as many in the field have forecast. But nevertheless, they are not small change. There are many other bad things that happen to companies that don't put them out of business but affect their bottom line. The Target breach was very material (that's they key word I think we need to have in mind) and it made its way to their financial results report.
During fourth quarter 2013, Target experienced a data breach in which an intruder gained unauthorized access to its network and stole certain payment card and other guest information. The Company incurred breach-related expenses of $4 million in fourth quarter 2014 and fullyear net expense of $145 million, which reflects $191 million of gross expense partially offset by the recognition of a $46 million insurance receivable. Fourth quarter and full-year 2013 net expense related to the data breach was $17 million, reflecting $61 million of gross expense partially offset by the recognition of a $44 million insurance receivable
Hundreds of millions of breach-related expenses. That is material enough for them to be mentioned in the report, even if it didn't put them out of business. If you were the executive in charge there you would probably look at how much you were spending on security in comparison to that number.
Security investments can be justified by reasonable expectations about breach costs. No need to paint an unrealistic scenario for that. I'm certain that most CISOs would be happy with a budget that was just a small share of those costs. No need to exaggerate on the doomsday scenario.