I've been building systems to support secure web applications since 1998. I get involved in the technical guidance through the whole spectrum of web application development and enjoy great latitude to work across departments for organization-wide process improvement.
I combine the controls from ISO 9001 and ISO 27001 with the process analysis from the Theory of Constraints to systematize predictability, knock out bottlenecks, and reduce risk in technical departments and physical manufacturing processes.
When information security efforts add constraints or decrease throughput, they ought to be reconsidered for security efforts that increase scalability, availability, survivability, sustainability, supportability, or defensibility of the organization.
A smaller organization may not want to apply security patches to servers because they haven't developed a reliable process for making any changes to servers without breaking something (configuration and change management), a standardized process for notifying users of potential downtime, or for recovering from defective patches (disaster recovery). Rather than drowning IT in a flood of emails about critical vulnerability patches, efforts are probably better spent in working on reliable processes to make changes to servers. Though such an effort doesn't overtly contribute to blocking "bad guys," it prevents downtime and helps the organization scale for newer levels of profitability.
Most organizations grow their abilities according to a predictable maturity model. It is important to consider where organizations are in their capability maturity when setting project expectations and what groundwork may need to be laid first for achievement of higher security goals.