This is an article I'm quoted extensively on because I conducted the early research a few years ago on security shelfware when I was working at 451 Research.
From some of the comments provided by others, it appears as if not much has changed in that regard over the years. But would be interesting to revisit some of the participants from the original survey to see how things may have actually changed.
Infosec professionals believe it comes down to a more controlled acquisition process, sweating the products you already have -- and getting the basics right before acquiring new solutions. “First, leverage the products that have the broadest of capabilities, something that can give breadth of coverage,” says Malik. “This will help get a lay of the land and understand the challenging areas which can then be focussed on more specifically. Don’t try to boil the ocean, but start from critical assets. Finally, the best way is to experiment with the product and network with peers to see how they have deployed capabilities. Security doesn’t need to be a complex offering -- often it boils down to doing the basics well and consistently.”