It really makes you wonder, given that this kind of stuff seems obvious, what the barrier to entry is - too much other stuff that it's low priority? Even in the Verizon report people who are collecting logs frequently aren't using them. Log data itself is overwhelming, which is one reason why I decided to make the thwackCamp 2013 LEM presentation about the "now what?" that's so common in setting up LEM/SIEM, but shouldn't these be the primary reasons to use it in the first place?!
Maybe "checkbox compliance" is too common - people are collecting log data, not really setting up or monitoring alerts, passing their PCI audits (somehow?) and just never touching it again. (Well, until someone reports an issue...)
Or, maybe SIEM is seen like insurance, and enough people are willing to go to the ER instead of buying insurance.