How do you know the smoke detectors in your house work? Do you assume they work or have you tested them? How do you know the brakes on your car work?
I believe that if companies spent a small portion of their current IT budget simply testing their security they would have a better handle on their position and what they need to do next year. Without testing the security, or lack of security, I really don't understand how they can plan for 2012.
Basing budgets and projects off of instinct and not hard facts is never a good plan.