Generating the ROI involves making assumptions, assumptions, assumptions! A lot of ROI models also assume that should there be a security problem, people sit down and do nothing until the problem is fixed (can't get on the PC, pick up the phone, walk down the hall? Sorry, people aren't completely shut down when there's a problem. Assuming they are, this lets the vendor generate a bigger ROI!). Most ROI models also combine hard and soft dollar losses. This weakens the model.
From attending analyst conferences where security ROI is discussed - see if the vendor trying to sell you a security solution can provide you with real a customers' ex post facto analysis to showing what the actual ROI was. A panelist at the conference I attended felt that this analysis was rarely done.
Good article by Computerworld's Bruce Schneier on "Security ROI: Fact or fiction?" at