I completely disagree with that statement and regard it as an uninformed viewpoint by those who generally do IT and IT Security poorly, as in my experience I have seen how good IT security practises can have many positive effects on business performance.
Consider one of the holy information security trinity (CIA Triad), "availability", which is all about "business availability", and tied to business performance. When comes to availability security measures is very much part of the performance equation, the threat of malware and denial of service attacks should be assessed along with the threat of power outages and hardware failure. For example business critical web services which has not been built with a capacity to withstand denial of service attacks can cause business performance problems much worst than any random IT hardware failure or freak weather incident.
I have witnessed on countless occasions business IT department reluctantly introduce 'Change Control' against critical IT infrastructural to meet information security regulation. Every time this resulted in major shifts in stabilising the IT infrastructure, previously the business had just accepted it was normal practice for IT infrastructure to be unreliable like British trains. This IT stabilisation led to improved overall business performance, efficiency gains and ultimately more profits.
So IT Security may well be a Contraceptive, but remember it is ribbed to increase performance.