HORRIBLE ARTICLE
1) don't write an article which references a report where you have to pay out almost $200 to read.
2) find someone who is known. Perhaps a well published individual so you have more than one piece of reference to use.
3) What he stated is DUH. Nothing new or impressive.
4) Spending depends on more variables than can be put into this article. Many MORE. Again, what is stated isn't new or impressive.
5) What does he mean by "misuse IT security spending"? What an idiotic statement. This alone should let you know he's someone who will be disregarded by the InfoSec community.
6) I assure you, most organizations know their security budget. I assure you it's all based on risk and accepting the fact nothing is totally secure. It comes down to whether an organization can afford something vs the risk. Not a difficult subject to work.
Some organizations accept more risk than others. Some organizations can accept a huge amount of risk, others cannot accept much at all. This largely depends on the type of industry IT is supporting.
In short... making the statement on what percentage of the IT budget should be spent on InfoSec is moronic. Putting together a sound risk management strategy to allow a business/organization to still make money is where this article should focus... not some stupid range of numbers.