Computer security is always expensive and a hassle, so don't expect infrastructure orgs, like PG&E, etc, to cut their profits by implementing strong security or maintain their infrastructure as 5 nine's, until, like PG&E or BP or Exxon, something like catastrophic happens, like people getting killed.
It's cheaper for the orgs to pay their liability insurance and run with their pants down until they trip. And usually it's not these orgs' employees or mgmt that gets inconvenienced or killed. Dead and maimed people are just capitalism's cost of doing business.
As withWall St having the funds to overpay and suck up so much young intellectual talent to maintain Wall St frauds and gaming the system, criminals motivate their security crackers with much better pay than your garden-variety corporate chair-warming Chief Security Officer and his salary-squished team. aka, asymmetric warfare.