To represent the effect of security expenditure (y) against investment over time (x) and the result (z) as expected returns (or profit) we see that there are expenditure inflection points.
What we see is that spending too much on security has a limiting function on profit. Also too little expenditure has a negative effect on profit.
This is where risk analysis comes into its own. The idea is to choose an optimal expenditure on security that limits the losses. Money should be spend on security until that last dollar returns at least a dollar in mitigated expected loss.
Once the expenditure of a dollar returns less than a dollar, the incremental investment is wasted.
This is of course highly simplified. The reality is that any organisation is a conglomeration of choices. Each of these choices involves a decision against other options as well as trade offs against other uses of funds.
Risk is not simply about the total IT security budget, but involves the optimum mix of choices.