It's needs to be stated up front that security will cost something in dollars, human capital, and ease of use. At the same time, it needs to be said that you cannot devote the same level of resources to the protection of medical records that we devote to protecting nuclear weapons.
For a long time the computer security market has been starved, primarily because the only market has been the government captive market. This market is largely driven by regulation rather than technical needs, and for such uses the assumption was that you would only be networked to ``trusted machines''. Products generally need to be certified to be secure for a given level according to DOD regulations, and by the time they were certified the products were sometimes obsolete for other technical reasons. Market forces are changing rapidly now that more and more computers are being networked together. We can expect in the future that security will become a more natural element in the design of systems, and that security will not be an add-on that you buy, but rather an integral feature of the system.
For now however, it is usually the case that security products are purchased separately from complete systems. This makes it extremely difficult to have any real security, since real security requires that the entire system have protections built into it, rather than stuck on the outside like a bandaid. Buying a ``separate'' security system for an existing information system that was never designed with security in mind makes about as much sense as buying a yacht and later turning it into a motorhome by adding wheels.
The major costs of security should be incurred during the time of system design and development. Additional costs will come from delivery time consulting for configuration, and continuing operating costs. Initial outlays for software and/or hardware are not likely to be a big cost to the customer. A good rule of thumb for the cost of administration and setup might be 10-15% of the overall system budget, and a somewhat smaller percentage for initial capital expenditures. If you are buying an entire system from a single vendor, then the 10% figure is probably still a useful guideline for how much more a system will cost that incorporates appropriate security features. When buying such a system, you may want to use outside consultants to judge the security features, just as you might use consultants to judge the software/hardware features. Security is complicated, but if you buy a system that is designed properly with security in mind, it should not be overwhelmingly expensive.