I'm a computer security "expert".
So, please feel free to ignore everything I say, just like the big corporates who hire me do.
It's an odd business, advising businesses about security. Small businesses tell me it's all a rip-off and that they don't want to spend money on "consultants". The small businesses that think they can avoid security are the ones that probably need to pay some attention to it. Solicitors, insurance agents, internet cafes, pubs, clubs etc. For these businesses there is a tendency to under report incidents. Partly because they don't recognise when their systems have been compromised and partly because they are, as others have observed, not really of interest to anyone. Not enough assets. Also they tend not to have their assets in one place. They will have on-line banking but it tends to be separate from their billing, invoicing and payroll systems. Much of their financial work will be done in spreadsheets and then copy-typed into the on-line banking system. A type of air gap. That said there are criminals who target these sort of businesses and who get them to pay fake invoices, hand over their banking details, perform transfers for "security" reasons to the scammers accounts, of course, and the scammers get away with it.
The medium large companies seem to be the ones where there's a perfect combination of laziness, tight-fisted attitudes and incompetence. They don't recognise they have outgrown their systems, they keep going and do silly things like hosting their own web delivery on the same system that processes their finances. Their IT support guys are behind the curve and do silly things like logging in as root over and over again. They have inadequate passwords, they password share and they like to work from home. Even in this day and age they use insecure protocols for remote access. They also tend to do things like having no separation between development and production systems (or usually have no concept of using a development system) and they take chances like patching live systems during office hours using a patch they downloaded at home and whacked on a USB stick. These organisations will often pay for security advice then ignore it, because it seems "a bit difficult" or "costly". However they won't have costed the proposal it will just be done by "gut feel".
Larger business are also vulnerable because of the infinite money cage effect. A business with 10 employees has to be unlucky to have someone who will not care about their job to the extent that they will do something careless. A business with 1,000 employees is guaranteed to have some prize careless dopes on the payroll. The sort of people who will click on that link despite being told hundreds of times not to do it. When they happen to coincide with the manager too mean to keep the anti-malware updated and systems patched then bad things happen.