Here is some bizarre observation: many security vendors here at RSA try to sell security by saying "latest survey shows that 67% of companies are missing the control X. Oh horror! - Buy X from us NOOOOOW" and very few sell security as "latest survey shows that 67% of companies have suffered the loss of $X via Y. Oh horror! - Buy Z from us to stop Y NOW"
So what if a control X is missing? Really? Why the f people need to care? Richard said it well here too.
And the reason there is more of the former (add missing control) and less of the later (stop loss), because they themselves don't know whether what they sell will decrease the loss ... It does suck, doesn't!
And then you meet somebody honest who sells incident response tools :-) And it has been proven that good incident response tools and practices decrease incident loss. Easy, huh?