How can SMBs secure everything on a budget?

I recently had a meeting with my manager about securing our infrastructure and SaaS products. We have a lot of SaaS products (around 150) that at some point in time touch PCI data for a small to medium sized organization (90 staff). Myself and one other IT admin are responsible for your typical IT infrastructure like the network, servers, etc. Luckily only a few of the SaaS products we manage like Microsoft 365 and then other staff in the org are responsible for the other SaaS products like sending mass emails. I know getting a managed MDR is the way to go for small IT shops to monitor incidents since we can only do so much for networking, endpoint, server security. However, after researching around for SIEMs, vulnerability scanners, and MDR vendors to be PCI compliant it seems like to secure everything you have to spend an arm and a leg. How are small businesses that deal with PCI data able to maintain compliance while not spending a huge chunk of their budget? I understand spending on security which is important but some of the compliance requirements states even monitoring things like Salesforce logins. Just curious how you've seen other SMBs deal with this or recommendations for how to handle this. Thanks!