Computer Weekly has an article in which they discuss a Garner Group keynote speech:

"In a keynote speech, he [ed: John Pescatore, Vice-president at Gartner] said that retailers typically spend 1.5% of revenue trying to prevent crime, then still lose a further 1.5% through shoplifting and staff theft, costing 3% in total.

But Gartner's research suggests that the average organisation spends 5% of its IT budget on security, even with disaster recovery and business continuity work excluded, and IT managers are tired of requests for more. Security has dropped from first (in 2005) to sixth (in 2007) in the firm's annual survey of chief information officers' technical concerns."

I find this an odd argument.
Should the real driver for IT security investments not be the amount that is spent on security, but the amount of losses that are prevented with the money that the controls cost?
If a bank is is robbed and $100,000 is stolen it is a very big robbery. If a bank's IT security controls are penetrated, the direct damage alone will far exceed that amount.
Costs-of-opportunity are also costs.