My view is a bit different. Any organization that focuses solely on prevention of non-targeted attacks is making a grave mistake. This hasn't changed at all in the past two decades: attackers interested in a particular target, and willing to spend several weeks on such a pursuit, were always a huge problem. In a vast majority of documented cases, they did not need to be unusually sophisticated to succeed, too - and in proportion to the size of the online economy, I don't think they are more numerous than, say, ten years ago.
Fending off these attackers in large and complex environments is very difficult, and requires in-depth in-house expertise, lots of ingenuity - and even then, it may occasionally fail. Alas, at the behest of vendors and infosec pundits, many organizations made exactly the wrong choice, and spent the bulk of their efforts on ISO 27002, PCI, SOX, and off-the-shelf AV and IDS tools - building a more measurable and familiar, but ultimately vulnerable, world.
It is increasingly evident that the value of these solutions in containing determined attackers is fairly small. The parties involved would prefer to say that they had done the right thing, and the threat landscape has changed in the meantime, instead. But the claim that they are facing a brand new, incredibly sophisticated adversary is a very self-serving one.
So, I am simply saddened by the emphasis on the "advanced" part of the term, and the Cold War rhetoric employed to push even more expensive and ultimately meaningless products and approaches. Whether you are a government agency or a Fortune 500 corporation, chances are, buying services such as 0-day vulnerability notifications or botnet monitoring is not an efficient use of your money.