I can only agree, but...

It is true, Directors don't see the need for security. It costs money, doesn't bring revenue. Out of my own experience at an ISP: Statement of the CEO "We don't need firewalls"

If you explain security to the board everybody nods but nobody wants to understand that security is revenue protection and not revenue generation. The result of this: The security department was dismantled and quite frankly after over 3 years figting a constant battle i also had enough so wasn't too sad.

For the security manager/team there is the pragmatic way, wait until something serious happens, but then the board comes along and says the department didn't do it's job, the argument against it: We mentioned it already and worked out a solution but the business didn't support it. But the kicks up the backside do come regardless and they always come from the top down.