Aren't we all tired of the 'X paid Y and Y magically they found out that product Z from company X is better than sliced bread' crapola? Most IT 'professionals' would not know how to calculate NPV, even with a gun held to their head. And the finance people that do know how to calculate NPV were given some made-up numbers by IT that could not possibly stand to a close examination. Seems appropriate to read this on the same day we are handed nonsense from Washington regarding the debt ceiling with cuts we will never see.
My NPV has been negative so far on this one. I installed six desktop computers for one of my basic customers and was called back in because they couldn't print from IE 9 to their printer. The quick fix was to revert to IE 8 (which had to be removed as an 'update' rather than a program, if I recall... contrary to the MS documentation).
The server in this instance was Win2k3 and other desktops were XP running IE 8.
If your incident response rates were lowered due to the browser, it could save much more then that number you provided. Cost of a single incident is really complex by itself and varies by organization.
The projected savings works well in some companies but gets difficult to calculate in larger firms. Without knowing the math and formulas it's hard to say how much you could save.
I am not surprised that some MS-sponsored survey has come back with positive outcome. I've been in the biz a while and have seen many, many 'an attacker could take complete control of your system' bulletins. You could not pay me any sum of money to use IE. Period. I only use it for Windows update on my older servers and to download Firefox when a local copy is not available. They will NEVER secure IE -- and that is the bottom line.