2 Great points here
Talking to many security folks at companies across North America this is exactly the same type of thing I am hearing. Firstly, you nailed it with "The challenge is what do you say to the industry at large, to the companies in the Midwest that have one security person. ... They can't hire all these people and build custom solutions."
As much as we would love to simply say "get more layers of security in your environment", it's simply not a realistic message, since they often just don't have the resources to manage it. We need to simplify.
Focusing on Web Applications, or applications in general, is a key security tactic that I think is often glanced over in favor of more traditional "We'll put in endpoint, and that should protect us". Even as noted, encryption helps, but it's by no means a be-all-end-all form of security to protect data any longer. We need to better understand application access and how data can be extracted through that application. Putting a Web Application Firewall can absolutely help, but we also need to go back and look at internal applications and those external connects and better figure out how to make it easier to secure them, especially for smaller organizations who might be limited in security expertise.