It's not even as simple as this. Sometimes, ignoring problems can actually be cheaper. Public perception, as well as government fines, will often treat companies nicer if they were ignorant to the full breadth of security issues than if they knew about them but did nothing.
It's a failing of our system to be sure. I've been asked to stop doing a security assessment halfway through, because once the client realized that the assessment wasn't going to just be "everything is 100% A-OK!", they didn't want it to be on record. If they were breached, they didn't want any paper trail of the executives knowing about the security vulnerabilities that could increase their liability in court. They preferred to be able to claim ignorance.