What Executives need to realize is there is no shortcut to security in a company. There is no single switch to flip, no single device to install, or an anti-virus renewal that will make a business secure. Security is achieved through a managed process. It requires a various products, people, and testing to achieve success. You could pay an expert to come into a company and perform an assessment. At the end of that assessment you review a list of what is wrong. You could then hand that to your IT team, they make the necessary corrections, and away you go. While it is true for a short period of time ( a day or two) you may be secure, then in the next week or month settings are slowly changed, users scream so the settings are slowly dialed back. Next thing you know you are right back where you started.
Why did this happen? Because there was no company requirement to be secure. No policy, no guideline, and no true desire.