It's been my experience that only when forced into high level assurance through compliance auditing, usually by the government, will companies care enough to spend the money on formal security methodologies. The same can be said for any one of the CMM models. If the company isn't required to insure that their processes are that defined and repeatable they simply won't do it. It is to hard to sell a formal security model based on the idea that it is better, even if the cost/risk analysis shows that it is the best option to follow. But like Catch said, sometimes even the threat of going to jail can't make the managers care. Most companies in the US are being destroyed by the stock market and wall street investors, because the stock price is the only concern. They could care less about the security of their private customer information, or the quality of the product they are providing, but that is an entirely different conversation.

I think a lot of this has to do with the knowledge of the managers, both senior and middle, and the knowledge of the IT staff. The IT staffs are mostly misinformed about what is good security, many times always beating the "use Unix" horse, and not understanding the merits of good policy regardless of the OS. These managers are supposed to be visionary and set the tone and direction of the company for years to follow, but because of the short-sightedness on the stock price, they can't get past this quarters dividends.

I believe this will change as more PhD's become the CSO's of the major corporations. I know that I've seen major changes at my company, and we are still no where near what the formal security models call for. But it is a major step in the right direction. I've seen way to many CSO's and CTO's that are just buddy buddy with the CEO or someone on the board of directors. Most of them have MBA's, but no formal IT security training, certainly not at the masters or PhD level. They just happened to go to school with the president or are some other way in the "good ol'boys club" and can talk the executive talk...