The government uses C, S, and TS as the general material level restriction, but to think that's all they use would be a gross over simplification. Other things in play are "Need to Know" policies -- basically, just because you have TS clearance doesn't mean you get to access everything marked TS. There are far too many to list here, but basically it means that you end up with a greater level of complexity than a simple three marking system.
As for small businesses, classify information based on potential damage if released to the public. Would the firm be embarrassed? Would their competitors gain insight into how they run their company? Is it a secret formula that is behind the entire company? You must also consider legal repercussions from releasing protected information (medical records, etc).
So, the answer your question: companies usually must have at least a confidential level to protect employee information. There is nothing to stop a company that feels it needs additional categories from making them. In every day life however, most firms forgo the "C/S/TS" idea and just use compartments of information.
For example, Apple may not classify their employees in levels of trust (they may, I have no idea), but they certainly compartmentalize project information to only the needed departments.
Think of the government's method on one end of the spectrum and a mafia's "web of trust" on the other. There is more than one way to skin a cat. A company is going to pick the one with the "hopefully" best risk-to-reward.
