I would take a slightly different perspective on the problem however. The 1$ million dollars is not just spent in one place but spent multiple times in defense of the black-hat team as they can target multiple organizations, i.e. the same team can move from target to target without spending any additional money, and force multi-millions of dollars in defense in multiple companies.
The other reality is that the defense is not just defending against one black-hat team but the potential for multiple black-hat teams.
My opinion is that like the black-hat teams, the defense should target the amount of money spent on the defense based on the potential loss of the information (or availability if that is the risk). This then would balance as you can spend less in focused efforts targeting protection of the specific information. There is no reason to spend $$$ on a commercial security management solution to protect only one table in a database where the sensitive information exists. The problem is that you have to know where that information lives through-out its life.