I am currently in a similar position. I've spent most of my time in the SMB realm as a consultant. Most of the SMBs that I have worked with are much better off security wise than the big enterprises. I think what makes this work is for one, their risk of data loss is much greater than that of a large organization. It could be the difference between closing the doors or keeping them open for another couple years. They simply don't make the revenue to afford any major fines or have their IP stolen and their business fly out the door to the competitors. For those that realize this, security means everything.
Now back to the large enterprises. At this time many I think are in a reactive state due to some breach or major incident. They are in clean-up mode and looking for the "magic bullet" to help them protect their data from "APTs." My problem with their approach to remediate these issues, is the fact they are not even practicing security 101. How could you take a 501 course when you haven't met the pre-reqs??? You can't even understand the basics but you want to jump right into the advanced skills. Ok you have the firewalls, the IDS/IPS in place and a switched network with a solid core. Lets ensure we are using those devices to the fullest extent before buying more crap that no one knows how to use.
Don't even get me started on outsourcing. My feeling is that, depending on the size of the environment, you should have at least one FTE per area. That FTE should be an expert level for that system. They should send the tasks to the outsourcing company to complete but at the same time they also understand and can perform the duties required. They are available on the higher level engineering side. They can focus on improving the architecture and allow the outsourced company to perform the day-to-day operational tasks.