In a large organization, I believe that ultimately the CSO (Chief Security Officer) and the CEO (Chief Executive Officer) share the responsibility of security choices.
CSO – Needs to evaluate risks, priorities of addressing them, analysis of the mitigation solutions available, and the costs involved
CEO – Needs to consume the analysis reports given by the CSO and take a budget call on what the company is willing to invest, how much, and the accept the risks involved when choosing a cost-effective solution
If the company is then subjected to a hack or a data breach – if the reason comes down to having chosen a less-effective solution to justify costs – then that was an executive decision based on the budget, that the CEO took a call on.
If the CEO had gone with the best solutions that the CSO had presented, then the CSO’s analysis and judgment call should come under scrutiny.