When developing your security program right at the analysis stage many organizations place the cost of this exercise and resulting policies and strategies and countermeasures as the primary concern of the whole exercise.
Yes there needs to be a budget and it needs to be managed. If you don’t want to go outside the dollars that have been alloted, be sure to send a memo to all of those threat actors looking to target your business, outlining what you’ll be able to afford from their actions. And nothing more. That’s just professional courtesy.
A security program that is built to firmly stay within and confined to a budget will fail.