According to Bruce Schneier, people are willing to take risks, something explained by the 'Prospect Theory'. Most people will prefer the certainty of a small gain to the possibility of a higher gain (or no gain), but also, most people will prefer the risk of a high loss (or no loss) to the certainty of a small loss. The issue when selling security products such as smart cards, or to be more general smart objects, is that we sell something that will prevent a high risk of an important loss. But we can't sell a certainty of a loss. The only thing, we, as an industry, can sell is avoiding a negative rather than obtaining a positive.
This is where fraud, hacks, failure demonstrations, etc… come in handy. These attacks on existing systems or just an evaluation of the fraud level in an existing system will be the best trigger to sell security. For instance, the switch to smart cards for payment with 'Chip-and-PIN' reduced the level of fraud in Turkey by 73% (cf. Smart Insights #08-25). Also, the announcement of the breaking of the Crypto-1 algorithm, present in Mifare Classic, has been an excellent opportunity for NXP to go back to its loyal customers, and sell them new cards and system upgrades to support Mifare Plus.
On the other hand, there are also some questions that become security issues because they are not addressed I due time, or because the actual security issue is not taken in consideration when making a purchase decision. An example could be the Real ID program in the US, where the federal government is pouring money again, even if the technology choices are not frozen, and many states are reluctant even to go for Real ID. The same can be said of the Passport Card, for which the smart card community agreed the choice of long distance RFID vs. contactless card was a wrong decision. In these cases, it appears that technology choices are not driven by a cold rational risk analysis.
So why are we so reluctant to make rational decisions when dealing with risks?