Not to mention proper support for two-factor authentication, which most smaller email systems don't have (especially in-house corporate setups.) Shared services can devote more resources to security because they're splitting the result over a greater number of users.
RSA has been selling such systems for years. My friend's container shipping company of 15 people has it. It really comes down to having a qualified IT person on board, rather than the availability of a technical solution.
I'd still bet on Google's security setup for its Apps customers over your friend's company. Also a consideration, Google would cost only $900 a year for 15 users, which is a considerable savings over dedicated staff.
I recommend Google Apps all the time. It's almost certainly better than what they're using now and is very good at not having problems.
There's no question such solutions have been available, but the reality is that most companies haven't implemented them.
Even if a company is aware of TFA, it's still probably cheaper and faster to get it via Google's products than implement a solution in-house using RSA, etc.
