According to the National Cyber Security Centre (part of GCHQ) if you’re a small or medium-sized enterprise (SME) then there’s around a 1 in 2 chance that you’ll experience a cyber-security breach.
On the whole, this is what most organisations receive from their IT provider or internal IT dept.
You might get a bit of monitoring and a few software patches applied, but usually not much else. Except of course, advice on what they need to buy! Which is obviously ‘commercially tainted’ as the provider makes profit from their own recommendations. This model is undoubtedly broken; it's reactive in nature and is a far from the ‘trusted partner’ relationship we all want from our IT dept/provider.