I guess the difference is, I aim for perfect and see what compromises I can make/are needed to be made. You start from completely insecure and try to work up without a road map.

Sadly the majority of the world follows your method.

In reality, the end result is that given similar funds we will end up with similar systems. Mine however will be more comprehensively defined, will mesh better with high level policy, and will have less demanding personnel requirements. For most however this is mere nuance, though as the initial budget increases, so does the gap between the systems. Until eventually one method tops out and perfect and the other as a rotten pork chop with heaps of fancy gravy on it.

Also, when has the best solution ever been the most popular one? People don't use the systems I speak of because they have uneducated "experts" being dishonest with them and rather than just saying they are not familair they make up BS about how such systems are not applicable. (yeah, cause if you did use one, you can typically cut your relevant security expenses by 25-33%... at least this has been my expereince.) Don't let their ignorance and insecurity and forced, false job security seeking tactics spill over on to you.


PS. If these systems are so not "real world" why are they covered in several CBKs of the CISSP? Not in depth mind you, (but nothing in the CISSP is indepth) but they are covered.