Great sentiments. I don't see security being discussed nearly enough in terms of risk and ROI. I usually see it discussed only in absolute terms, i.e. unless a solution fits the "CIA" model to a T, then it's unacceptable.

I think that we should layer the CIA triad on top of the Time-Cost-Quality triad when implementing application security.