This is a classic management term which does not need any introduction to many folks. The more money you pour into the security budget the more money will be spent in buying unneeded security products which can increase the complexity and reduce efficiency of your security operations. The start-up companies that I worked long ago had installed 5 layers of Firewall to prevent intruders. The security manager claimed to me that it is there to really protect the information assets, but sooner I realized these firewalls were not configured right and they were a set of  a fireholes than a set of firewalls. Moreover, the maintenance costs in this type of  complex security framework can be humongous. Imagine poor me debugging the firewall rules across these 5 layers of firewalls. But, one thing for sure the job security of security professional who implemented these complex security framework is guaranteed.  In reality,the guy who implemented these 5 layers of firewall worked as a consultant for this start-up in the off hours and weekend!

In reality I have seen well run security organizations, they are lean and mean. They not only provide continuous security thought leadership for the entire organization but also implement security in a simple and efficient way. The graph below gives a visual picture of what I mean by order of diminishing returns.

On a related note I have identified four different states of security organizations considering competence of employees and budget availability. Of course there are in-between states. I have considered only the extremes: