Depends on the business and how its setup, for most places the CISO reports directly to CEO or board members. VCISO is an outsourced security program which interacts with an internal liaison resource.
No organization can claim that Security is not important to them. But the same argument holds good for other horizontal concerns such as performance, reliability, privacy, compliance etc. So do we have a separate role for taking care of each of them? Obviously not. All horizontal concerns are the joint responsibility of everyone in the organization and hence a virtual role is mostly preferable. I have seen organizations where the CISO has a parallel ops team, engineering team and testing team. In short he/she runs a parallel organization that is not so closely connected with engineering. I don't think that is desirable. Having said that, there are organizations where compliance, security et all constitute a full time job. In these organizations it is good to have a full time CISO who also may have other responsibilities such as compliance, regulation, privacy etc. This person may have a band of experts. But it is important that this person is also supplemented by a virtual team of engineers who are schooled in security, privacy etc. Otherwise, they tend to get more "academic" or even worse become policy cops. No one wants that!
When someone is held accountable, you tend to get better results or service. The vCISO does work for some organizations based on the type of business they do.
The challenge with vCISOs or what I equate to CISO-as-a-service is the lack of accountability. It is still a consultancy service by and large.