The challenge for the CIO is to have a security level that is good enough, based on what he is trying to protect, the implications to the business and the cost for security. A concept Jesper Kråkhede explained in the video People often fail a finding a balance together with Greger Wikstrand.
But when the IT-organisation fails huge, as in Target, Sony Pictures and Ashley Madison, its not longer an IT-problem, but instead a business problem. It becomes a huge issue for the CEO and often the outcome of a major security break is that the CEO have to step down.
So if your IT still runs Windows XP for business critical systems, then your are taking huge risks with your business. When the bad guys will hack you, the board will ask you why you haven't tried to prevent this. Running unsupported operating systems or business critical applications without support is not an acceptable behavior when something goes wrong.
So if you are CEO and your are not following best practices for security when the bad guys come after your business, you probably will have a very good opportunity to try new things in your life.