ThreatPost.com has a write-up about some new research into the world of digital security:

A paper  by Forrester Research, commissioned by  Microsoft and RSA, the security division of EMC, found that even though  corporate intellectual property comprises 62 percent of a given  company's data assets, most of the focus of their security programs is  on compliance with various regulations. The study found that enterprise  security managers know what their companies' true data assets are, but  find that their security programs are driven mainly by compliance,  rather than protection.

"Even enterprises with a high number of incidents are still likely to  imagine that their programs are 'very effective.' We concluded that most  enterprises do not actually know whether their data security programs  work or not," the study found.

I wrote a poor rant last August about how horrible some of these PCI scans are at realistically evaluating website security. It seems like the big-name research is confirming what I said. Most companies are worried about compliance rather than real security.