Don't know about Fortune 1000 security, but i do know something about a much larger companies security. It uses security, that just isn't in the current market for the private sector to purchase. Some of the larger features that I think is in the private sector is BlueCode (I'm not currently sure where the site would be found for this, i did a little searching but wanted to finish the post and couldn't find it.) Though what it does is mirror off a port on the backbone switch, generally coming off the internet, and grabs all current user sessions and can do statefull packet inspection on it. Making sure that all IA's are doing there scans and are pushing out patches through WSUS & SCCM. You also want to make sure if there are policies are in place that everyone is trained on them, such as if you don't allow personal laptops/flash drives/hard drives in a specific department (R&D?) the IA's are doing qTip scans to make sure that the policy is being kept in place. And thus locally hosted is the best, you don't want to be connecting to an outside network to be scanning your servers. When you can physically lock them inside your sever room. Having a hot site if a disaster happens, and the company is needed around the clock is a must. Even if the site is warm, and backbone infrastructure is currently implemented.

Though there is a good chance i am biased, and want everything done in house, rather then putting things on the cloud. (As much as i like cloud based software, its not exactly safe from a security standpoint.)