The budget is right but it's more of a skill and resourcing issue. The team that handles security policy is not "IT" and the Infrastructure team handles actual security.
In my experience, the challenges don't usually lay around having enough tools and resources as much as having a well-defined process that is then consistently used.
Too many silos even though budget is not an issue.
Budgetary constraints are only half the issue, The challenge lies where the responsibility demands attention, many just ignore the reality and go forth as if there is nothing wrong or threatening. It is a ubiquitous challeng for staff as well as the C-level folks for balance.
I think I see and agree with one of the common themes - time. Even with good upfront processes, its a never ending slugfest to remediate security and get other stuff done.
Vulnerability is even more esoteric than threat and most organizations seem to put vulnerability management into t category of "we'll get to it."
Second the budget thing. We have bought so many new tools recently, but do we really know how to use them all. debatable.
\m/
