As far as I can tell, this is the actual purpose of a CISO: being the sacrificial goat when an entity experiences a security event that ends up in the news. I say this without any sarcasm.

He described his job as "we shouldn't do this, or this. we probably need money for both, or failing that, implement some really annoying, workflow-impacting changes that will annoy people. so gib mony plz".

inevitably the org would say no to both, so he asked for that in writing and then played the CYA game hard when it went bad.

"a cortisol rollercoaster followed by begging followed by more rollercoaster" was a phrase he used.

Do you have any stats to support this statement? I work as a Information Security Officer, other firms have BISOs or other names for this kind of position.

Additionally, a lot of what you are describing is either cliché ("you can only be wrong once"), only true for certain types of businesses or regions. There have been examples where CISOs have experienced legal pain in the US, see Uber's former CISO. But I would not expect companies to see this as an exemplary case.