I think it is nonsense. These two should not be put next to the other. To me it is the same like "show me the ROI for car insurance", "show me ROI of military and defense budgeting".
I definitely like the following which is not about ROI rather about keeping the business:
The Security Development Lifecycle (SDL). Advantage, Microsoft
by Jon Oltsik
When it comes to Microsoft and security, few people ever mention Microsoft’s Security Development Lifecycle (SDL). ESG believes this is an unfortunate omission. The fact is that Microsoft’s commitment to SDL is an area of stealthy security leadership. ESG believes that other ISVs should embrace an SDL model as soon as possible and that enterprise organizations should mandate that technology vendors establish a measurable and transparent SDL process by 2008 or risk losing business.