IT security study carries cynically great news for CIOs