Time, I suspect, will show. With current average burn rate or a turnover of around 2 years for CISO, it may very well become a self-perpetuating problem.
The discussion is ongoing about us being able to communicate the risks to our boards and where the line is drawn between our responsibilities and capabilities (as defined by our mandates, availability of resources, etc...).
Then there is always a chance. You can do everything right and something awful may slip-by, either because your vision is not quite materialized (i.e. you did not yet get your ducks in a row), or because some nasty is quite new and unexpected, that all the due diligence could not possibly have addressed.
So, whether you'll win a lottery or are thrown under the bus, may or may not reflect the quality of the services provided.
Ours is to try our best, then try harder, (while keeping our fingers crossed in hopes of getting "there"), before it's too late.
After all, these numbers are there because there are problems that must be addressed, whether known or not yet, and the hire is often enough prompted by the "event".
Ask me in a year, I may have more to say on the subject.