The (traditional) three questions
Things like response plans are laudable, but security is like any other company process. It will always be subject to executive scrutiny. That will involve providing adequate answers to at least these three questions:
1.) What is the company's legal / commercial obligation?
2.) What will it cost?
3) How much will it save?
And I would suggest that one of the barriers against widespread adoption of additional anti-phishing measures is a failure to address those points.
The first one is the easiest. It is probably the only one that has a clearly defined response. Depending on the details of the company, the sort of data it handles and the markets it operates in, demonstrating a requirement to comply with some sort of "best practice" or regulatory requirement could be enough to carry the day.
If you have to rely on a financial argument, the problem becomes a lot trickier. Especially since those costs and savings can be easily measured.