You can't spell "Really pointless flamefest" without R-O-I
Rich Bejtlich, with whom I do not want to argue about definitions unless I have a much thicker dictionary than he, has taken aim at the (mis?)use of ROI by security people.
EC readers may be interested in a blog post by Ken Belva, in which the guy who literally (co)wrote the book on establishing a methodologically sound and empirically defensible business case for information security spending — Lawrence Gordon — weighs in via email.
Hopefully, Gordon is a sufficiently authoritative source to put this question to bed for a while.