Agree on the value they assign it. Is too low.

Knowing a couple of incidents first hand, this is going to be a very difficult problem to fix. The biggest issue is that IT is IT's worst enemy. Unlike most departments, management has to fully rely on IT's word that they are following and implementing security policies that are effective. These policies suck for IT personnel though as they make their job much harder. Thus they love to take shortcuts. Attacks come in a few vectors but predominantly they like to hold data for ransom or in this case, may love the Intel they can get. Virus scanners work mainly on known viruses and new viruses can get past them.

So here is an actual true attack I was personally involved in. Large company with very good virus scanning has employee install, unwittingly, a remote access application. Some new virus but it took the employee's approval. Employees need internet access and draconian restrictions result in IT being chastised by said employees. So IT hates being hated and tries to accommodate for multitude of reasons that results in less secure networks. Once remote access is running, bad guys install apps to make virus scanners appear functional but do nothing. Then they install keystroke recorders while scanning the network and just getting a lay off the land. At some point an IT technician is officially at this computer because for 'some reason' it lost access to a shared resource. Oh it just needs elevation. Instead of pulling out their laptop and logging into their secure desk computer few stories up, they decide to use said employees desktop instead to access their computer and update the infected computers credentials. This alone is not dangerous because the infected computers does not have access to backups. But the Keylogger on it has now transmitted the IT personnel access credentials to the bad guys. Later that night when business closed, they use the infected computers to log into the IT technician's computer. From there they install additional keyloggers and review access and any other software they want. Then they they watch this guy as he does upper level maintenance across their network for weeks/months. Maybe they get into a few more computers until bingo, someone maintains a backup that gets keylogged. Ransomware attack encrypts all databases and the backup and demands for two million dollars shows up.

In this particular case, luckily an off-site backup is found but it is a month old. Lots of employees trying to recover by memory some of the lost data. Management angry because IT been telling them they are following best practices. IT angry because they truely could use more money. Regardless, more money won't fix a guy that is too lazy or too overworked or doesn't care or... to start up his secure laptop or real two floors up to insure he is not using elevated services on a compromised system.