Once again, Richard Bejtlich at TaoSecurity takes quantitative measures to task:

Remarkably, after making this statement, he follows it with:

he irony of this superficial take on security spending (and perhaps the biggest "if" as weak probability statement in the security profession) highlights the nature of the problem and gives us an opportunity to see the value of applying some quantitative measures. Some of you might be agreeing with the statement, but if I say, "Okay, I am going to spend a trillion dollars on it" you would likely suggest it is a ludicrous amount. It might even make you mad, even though I wasn't the one who said "it doesn't matter."

Here's the point: someone lost in ambiguity-land can say "it doesn't matter how much you spend" and not really mean it, while someone with quantitative measures would quickly be shown the door at $1 trillion, $1 billion, $100 million… until some point that is considered "reasonable" within the context of the situation.

In short, folks who use quantitative measures can be judged. The level of precision may not be accurate, but everyone understands it and can offer their own value judgments to the approach.

On the other hand, using subjective "expert" opinion, one can establish much more wiggle-room. I think of this as a cop-out.

No doubt, this stuff is hard. It will never be perfect. But it is ultimately more beneficial to an enterprise than existing guesswork, if only to get past the subjective joke of suggesting "it doesn't matter how much you spend on security." Clearly, it matters.