A lot of small firms get hacked because of the ignorance of senior members of staff. On the flip side, there's a lot of companies out there basically selling snake oil whilst others are simply price gouging for the hell of it with the "promise" of "Making your systems bulletproof".
Majority of attacks succeed because of poorly configured systems coupled with extreme "I know better" attitudes so prevalent in the security sector right now.