This is an interesting issue. The main reason info Security should be in a different chain of command than the IT of the organization is that the two organizations have different goals. The security people are specifically investigating the people and practices of the IT people. IT people are driven by a budget requirement to get more done with less money, in less time, with fewer people, so in most cases, things they consider uinimportant in relation to that goal are supressed. Patches and replacement of obsolete software and hardware get put off. Security projects are often left unfunded, and the person in charge gets bigger bonuses when they get through the year on less money. Having a dedicated security department is a lot like having liability insurance on your car. If it wasn't against state law to drive without insurance, a lot of people would convince themselves that they were a safe driver and could self-insure. Insurance is not designed to help when things are going smoothly, and a security department is also intended to be of the most value when something goes wrong.
Another problem - CIO bonuses are not usually attached to the scarcity of successful hacks. Those are treated like flash floods - they are acts of God and cannot be predicted, so the CIO is rarely found to be at fault for being prepared for network exploits. Hard to quantify and expensive whether there is an attack or not. In the case of a smaller company without the funds to have a dedicated security team, I would suggest hiring a managed security services team (MMS) and have them answer to the CFO, not the CIO.