The leadership team must clearly defined what the business approach is across Governance, Risk and Compliance (GRC). If you aren't sure, you need to partner with a security service provider, identify areas of risk, then make decisions based on the risk assessment(s).
Small-medium sized organizations are less likely to have team members with specialized security skills or the extra bandwidth to perform the required security functions. In house security professionals have specialized skills and training, these specific resources may be underutilized within the organization.
We have an actual CISO, not a vCISO. Our CISO reports to the board and is held accountable for all security across the company. Our CISO function includes operations, engineering and compliance. For large public companies I don't think it makes sense to have a vCISO given the level of accountability, responsibility (and time commitment). For smaller companies like startups or companies that are private and cost conscious I think vCISOs make a lot of sense as long as the virtual role doesn't mean security is less of a priority across the company.