It's all about the perspective. A manager might consider test-driven development or security-driven development a matter of "spending" - in that it costs time and money and doesn't provide an immediate tangible benefit compared to making the thing that makes the money - but the engineers see it as an investment.

Both sides are right. If the company is never hacked, then it could both validate the security model as well as give a reason why not to bother in the first place. If the software runs smoothly throughout development (give or take a bug here and there), then all that testing was indeed a waste of time.

The difference between investment and cost is the ability to look into the future and analyze the past.

So there really isn't a straight answer.

EDIT: it also matters to the perspective of those outside of the organization. A bullish analyst might call Alphabet's moonshot projects an investment, while a bear would likely label them a cost.

I define 'investment' as 'money spent in the pursuit of future benefit'. In this case, money spent settling a lawsuit to avoid a significant chance of later spending a far greater amount paid as damages (and why else would you settle?) is most definitely investment.