Great point Joel - the margins are razor thin. It is very difficult to hire proper security resources and make them work for $2-3K per month.
CampBX has a distinct advantage in this regard, because I did Atlanta data center operations and security for two of the largest corporations in the US. And since CampBX is my labor of love, I work for free! I have also been able to leverage my professional connections to help out where necessary.
What's sad is that it really is a solid business. Had Bitfloor made it another year, they would have had the money to do security right. Though they still might not have spent the money on security, of course. There's always something sexier that you can spend money on. Unfortunately, in this business everybody seems to think they're a security expert, even if they just took a couple of PHP classes and read a web article on SQL injection attacks. This makes it harder for the real deals to stand out, especially when they suggest things that cost more money and take more time.
I don't think you are getting it. The meta-problem is auditing and insurance. In my opinion, without it, bitfloor.com should not have even opened for business (same for any other exchange), unless they limited deposits to a relatively small amount and declared their site alpha and experimental. They did not do this. Hence, bitfloor.com was far from a 'solid business'. The same for the other exchanges. It looks like Camp BX is the furthest along with security audits that have publicly available data.
If there isn't enough revenue from the exchange to cover the costs, then they need to get investors and funding.