It is really based on risk. Folks who are not protecting sensitive data, financial transacations, etc. may not have a high enough risk criteria to spend lots of time on security.

The process is one of risk assessment, risk management.

Refer to this paper for more details on the process of risk management:

http://www.silkroad.com/papers/pdf/m..._paper_430.pdf