There is little difference between the aims of IT security and insurance. Businesses make investments in both because they know they have to and it would be irresponsible not to. IT security products are purchased to protect against threats that it is hoped will never occur. In the same way, when we insure our houses, we do not intentionally burn them down (OK, there are some exceptions).
Investment in IT security needs to be proportionate to risk and the problems that arise if it fails. In some cases the actuality is more serious for some organisations than others. It is worthwhile for a bank to take the step of storing customer data as encrypted because if the data falls into the wrong hands there is the potential for financial loss, brand damage if the media find out and legal consequences arising from breeching regulations.
