Why do most of the commentards talk about the application layer? The real business logic and MOST of the protections should be at the RDBMS layer. Presentation layer protection, don't make me laugh (or cry really.) There is no way to protect that. The application can easily be spoofed, we are all aware of injection attacks etc, but a properly designed DB will bounce all of the unathorised accesses and log all the details of such attacks.
The problem is that good DBAs aren't cheap, we tend to be a bit shouty and like things done our way, and that's usually the best way. BUT a good DBA can save you millions in cash and public embarrassment.
However as some have pointed out, the senior (i still snigger for I think of this phrase) management are ONLY looking at the bottom line. If they can save a penny a year, they'll go for that option. More in the pot for their bonuses.