Call me cynical but I have to wonder how much of that huge cost is simply bringing security up to where it should have been in the first place (both the labor in applying patches, getting new software, and/or additional employee salaries). Should this be counted in the cost of the breach? Personally, I don't think so.

Now, lawyers fees, punitive damages, "customer recompense" (hah!), etc., yes, that absolutely should be included. But not the cost to fix the security that should have already been there.

Of course inflating the cost is likely to soften public opinion, "look how much it cost them. Bet they won't do that again"...

(need more caffeine!)