We are NOT winning... far from it.

All the data you post has little to do with hackers, or focused attacks against your data. These contingency plans typically translate into geographically distributed datacenters, which are mainly there to protect you against natural disasters. As they typically try to mirror a site's functionality on another site, a focused network attack against a site is very likely to be successful at the backup site as well. And guess what - people started building them not because they would necessarily need them, but because they were regulated by governments or international consortia (Basel II/BS27001/SOx/....).

Acceptable use and email policies defend you against your own people. Password policies? There are no effective password policies that I know of, and that actually work. There is basically no mention of any security process or technology (such as data classification, segregation, least privilege, defense in depth, etc.) that would address focused ("hacker") attacks against one's data in this article, and I feel ElReg should review its journalism standards, and not quote vendor survey results (which are always used to set up some agenda of their own).

Good security is about knowing what you need, and not waiting until you get regulated or doing the thing everybody else seems to be doing.