Re: Who is "we", Kemosabe?
While what you said is absolutely true, I think he's going for the thought that some companies work on the process that security breaks things and the downtime risk is more important than security breach to them. The only recourse the security team have is some form of risk to mgmt of gross negligence, and using the number as a cudgel against them to put them individually at risk. That number often can be used as the trigger point of gross negligence to force them to divert resources, delay product release, etc that they would otherwise jam through, because we haven't gotten hacked yet. Not saying that companies that work that way are right or even sane but that's the way it often is