A very insightful post from Anton Aylward called "Why I don’t see the need for elaborate Risk Analysis."
Fun quote from it: '“Standards” like a ISO-17799/27001, ITIL aren’t trying to do anything more than lead people though a process to make them deal with the basic good practices. When they talk of things like Risk Analysis they are trying to get people to think about risk and their risk posture, and that is, all to often, sadly, something most firms don’t seem to have got around to.'
In other words, if your password on a publicly exposed router is "password," please shut the trap up about "risk management!"
UPDATE: Yes, yes, yes! You guys are right: "the entire concept of “good practice” is simply a lazy man’s risk analysis." I was just venting about folks who spent time pontificating about risk management while being owned thru a router with a password of "password"...