That's not it. It's just, very minimal potential upside, lots of annoying downsides. Re-read everything you've read on HN about "being careful talking to the press", assume that --- unlike most startups --- the press is seeking you out pretty regularly, and then consider the mental energy required to minimize the downsides.
YMDV. I'm not even selling a high ticket item but back when I courted the press (simply by writing emails whenever a topic I knew about was mentioned) I've had results that have well paid for themselves in a) the effort and b) the misquotes and annoying downsides. (In one case my small company at the time was mentioned right next to AT&T in a list of 4 companies mentioned.)
I really can't imagine how it wouldn't pay for you (business wise) to be mentioned given what you do in mainstream press. In order to be mentioned in mainstream press it pays to have mention elsewhere as a starter. I can see a CEO with a security problem reading a quote of yours in the WSJ and handing the tearout to someone with the instructions to contact you about some issues they are dealing with. I can see links and quotes from both online and offline mention of your name appearing on your website and giving you and edge on your competition.
By the way mention on your website such as "Our work has been featured in Network World, eWeek, Forbes, Macworld, Wired, and the Washington Post, and at conferences ranging from Black Hat to Gartner" and links to or copies of said articles will not produce the same results. And if the articles are old that is why you need fresh mention.
That said I can totally see (which is why I asked) how a security researcher frequently mentioned in the press, like a former boxer sentenced to prison, becomes a juicy target and that is definitely a downside.
* In my particular line of business, the quality of one's website has vanishingly little to do with success. We have a cookie-cutter front page that says cookie-cutter things; its purpose is to confirm that we are, in fact, a real business. It succeeds at that.
* I have no doubt whatsoever that people outside software security, or maybe even new entrants in software security, have much to gain from press hits. But "fresh hits" do very little for us.
* Only a very small minority of our business is "event driven", such as when a CEO realizes he has an immediate security problem. We're an engineering service. In the overwhelming majority of cases, we're working for other engineers and their product managers who've known for ages that they need help with security; we get engaged when it makes sense in the budget and the dev cycle to engage us.
We're one of the largest pure, dedicated software security firms; we're also one of the more mature/established of them. Most of our business tomorrow will come from executing competently today; people who can reliably flush security flaws out of arbitrary pieces of software are in short supply and high demand.
