The problem is, it doesn't matter. If the "good guys" are prevented from testing your system to uncover vulnerabilities without legal threats, but the "bad guys" are not, you still effectively do need to spend that anyway.