Poorly aligned risk models. This means applying a “one size fits all” policy to application changes, which can result in developers wasting time fixing low-risk code issues while not spending enough on those that are high-risk.
Disconnected security activities. While automated tools are good at spotting code and configuration vulnerabilities, they don’t do well with architectural flaws. Most organizations use manual tests to fill that gap, including threat modeling, code reviews, and penetration testing. But in too many cases, those activities aren’t aligned with risk policies and aren’t coordinated with findings from automated tools.