In a very refreshing article, Brendan Williams talks about the fallacies of securing systems based on compliance models, with an army of clerical staff working checklists to determine the security architecture for a new system. For a lot of my cyber security related activities, I have been trying to implement a risk management approach, where a security architecture is firmly rooted in the evaluated threats, their likelihood and impact, and most cost effective mitigations.
To address the problem, NIST has provided the SP 800-30 risk management process for some time now. And while high-level threats are very application specific, the National Vulnerability Database provides a low-level overview for what vulnerabilities a threat actor could attempt to exploit.