Maybe a honeypot will attract outsiders, but it will not save you from insiders compromising your security. IMHO if organisations will use honeypots and decoys on a larger scale, some hackers will soon develop tools to distinguish those IP-adresses from 'the real things' and distribute those tools among their community members. Since none of us wants to pay more than absolutely necessary and security is costly, any organisations will cut on security and leave it to the bare minimum that is required by law. As long as a security measure (for example, an extra guard) delivers more than it costs (less shop lifting) those measures will be taken, but don't expect anything more in a world based on profit and loss. Why should a hospital invest in extra security measures on the access to their patient files, while making them accessable from nearly anywhere could save them traveling costs? Did you ask them how they secure your file before you went to a doctor? Did you ask the water plant what measures they have taken to ensure that their plant is not vulnerable to an attack from the internet? As long as people do not ask these questions, companies will not profit from security measures, leaving no reason to implement additional security measures. Yes, they do talk about it, but when they find out how much effort it rquires to embed security into their daily operations, it ends up at the bottom of the list. But of course that is only my humble opinion ...