In the good old days, people wrote viruses largely because they could. While some attempted to justify what they did by saying that they were doing it to make obvious the flaws, most really did it for fun. Destructive, anti-social fun, but fun, nonetheless, by the standard of their developers.
Today, viruses are written for profit, with the goal to collect and use specific information. In some cases, the goal is to take control of a network of computers, and use them to send spam. We recall reading an article that posited that a surprising percentage of computers were being so used, without the knowledge of their owners. Since at least a third of all computers likely have no current protective software, this is not a surprise.
A bigger worry, however, is the virus aimed at gathering specific information about specific firms, and sending it back to its masters. These viruses are relatively inexpensive, costing a few hundred dollars for a simple infection, with prices at present hitting almost $4,000 for more targeted viruses that can be updated as needed.
The bad news is that, as with almost everything else, you can take generic protections to protect from generic threats. Things become much more difficult when facing a specific, targeted, attack. The specific attack is unlikely to come to the attention of the anti-virus labs, so you need to depend on a multi-level approach to protecting your computer data.
The good news is that your IT staff can do a lot to protect you once you recognize the existence of the threat, and make the decision to have your staff take appropriate protective steps.