It would be great not to spend any money and let the worms run their course. But when you have to deal with downed production at the cost of give or take possibly 500K per attack it unfortunately cannot be done without one loosing their job. The last worm that spread throughout enterprises mentioned having to reinstall the entire server. If that server is a critical production server what would you do?
Would spending 100K prevent the attack, very likely not. Would spending 100K help track the offending machine(s) and enable someone to remove them from the network until they are serviced, possibly?
Would this help keep production rolling, possibly?
The installation management and response time needed to implement an IDS solution does have to be investigated to see if the ROI comes in line with the cost. The ROI would need to include any saved downtime. If someone has this information please pass it along.
A nicer solution would be an operating system that does not need a critical patch every other week, due to it's exploitable nature.
Yes I am dreaming 
Kim
There is one common rule - if you react on something (worm, for example),
never overreact.
This means that, yes, in many cases it is much more effective _do absolutely
nothing_ vs. _ proactive and aggressive prevention_.
few examples from other areas:
- Medicine - Allergy can kill; and allergy is overreaction;
- Politics - 9/11 - if USA did absolutely nothing, even if no one airway
company changed their security procedures, it could be more effective, than
what was done (full time paranoia, 2 wars, huge loses in industry; huge
inconvenience for travellers...).
The same approach works here. Some level of prevention is useful. It was
useful to block bad ports on the week of last worm. It could help (and
helped) updating desktop systems, installing rate limit for a few kinds of
traffic, blocking fraud SRC addresses. But, if someone installed numerous
restrictive filters (for example, forbidding all file sharing between
desktops, allowing it for servers only) - the cost of such thing could be
much more, than the cost of _doing almost nothing_. In many cases, security
updates was more dangerous, than worm itself...
There are cases, when such _proactive activity_ required. This are cases,
when harm of the worm / virus can be unlimited - leaking of the yodlee.com
(for example) database can effectively ruin the whole company, so no any
cost of prevention looks too high. We can always find another examples.
Unfortunately, in 90% cases we just see different kinds of paranoia, which
makes cost of _prevention_ higher than cost of possible damage.
Alexei Roudnev