Leds- I tend to agree with the one other post that made it to the list re your question. I would assume that your various security devices are capable of generating rather detailed logs. Cull that information to get an idea of the number of possible problems that were prevented. Take nimda for example. Estimate the cost (in time, lost productivity, etc) of a nimda infection to your organization. Then extrapolate that out to the number of incidences that were deterred. Although overly simplified here, it seems to that this sort of strategy would prove effective.
-Q-