This is a good example about the fact that many organizations do not view security as a top priority. The management is not willing to invest extra money to comply with security standards - especially true for small companies. They don't see the ROI (unless the security is breached). It is interesting to see more than half don't have faith in standards (PCI DSS); is it due to lack of knowledge about the standards or is it perceived to be more costly to have security measure in place compared recovering from a security breach? On second thought, I shouldn't be surprised about these results considering the large-scale breaches (1, 2, 3, 4, 5) we continue to see.