The cost of doing nothing is perceived to be the cheapest route. Not necessarily correct and not necessarily the right viewpoint.
We are sometimes blind to the notion of taking security and risk management seriously (not everyone, some). Why? Because then we believe that we’re falling into the belief that we’re (us/we/I/the organization) vulnerable.
It’s a psychological shift in accepting that conducting a threat risk assessment (TRA) is beneficial. Yes you do acknowledge that there are some risks to your organization, yes you acknowledge there may be some losses. It doesn’t end there. Work through your TRA and find where you can reduce those risks, minimize or even eliminate those losses and you to can embrace the benefits and rewards of a properly executed, annual TRA which will only affect your bottom line and protect your assets.