Before even planning, not to mention budgeting and starting to implement any countermeasures, it is necessary to have a clear picture of what do we actually defend against, as well as what is it that we are defending. Unfortunately, in over 15 years of my experience in information security this is rarely the case. More often than not, decisions on security safeguards depend on anything (ranging from vendor relationships and discount offers to aggressive security solutions marketing and relevant media hype of the year) but the actual risks faced and attacker strategies employed.
So, a question of “how effective/modern/popular the proposed safeguard (whatever it might be) is?” is blatantly wrong (and yet remains a very common question from the IT side).
There must be, of course, an implemented security baseline (including, at least, strong password policy enforced, antimalware on all Windows and MacOS hosts, SPAM filter, stateful or proxy perimetre firewall, reasonable network separation rather one nightmarish flat network with everything on VLAN1 still seen in numerous SME’s, some user security awareness training, and hard drive encryption on mobile hosts taken off site including BYOD). However, everything else is subject to discussion.
The question “does it address the real risks we face according to their criticality” is the right one, but it requires approaching information security as a form of risk management it is, which is often not the case. So, it's a question of overall strategy, then tactics, and not “which particular gun is more powerful/we fancy more”. I’m deliberately using military analogies here as 8 years ago we did a book that approaches information security through a military strategy framework, the second edition came 4 years ago, and despite all technical change it is as relevant now as it was then.