It looks like one of the major options that we heard touted in the CBK may not be all that advantageous. I don't think it will improve as more data is gather regarding cyber incidents. It will be very hard to predict where the next issue will come from.
Some years ago there was a really good Mac vs PC ad to impress this type of budgeting https://www.youtube.com/watch?v=sWLfEVGwjrA so nothing new under the sun.
From our experience in little New Zealand; many of the 95% Small to Medium Enterprises, regularly use cyber insurance as a means of mitigating the initial shock horror to cover the costs. But then the the major cyber insurance providers then hit them subsequently with ISO 27001 and audits to compensate with higher premiums, if they do not comply to requests.
There is a notion going around about placing liability on vendors as well - not sure how far that is going to go at the present time.