You are still mixing up a management policy (which is normally a bunch of useless platitudes) with an engineering concept that can be used to verify your security architecture.
Actually, I'm not. Your engineering policy is useless without being tiered into the security model by the management layer.

Your "tut" scoffs at this calling it "meaningless sound bits" however, without those sound bits your engineering model is about as useless as a one legged man in an ass kicking contest.

That said, as a fellow engineer I can identify with the desire to stick it to the man because I too engage in the rhetoric daily. However, over the many years served in this industry I have come to understand and know my enemy. Management wants to be able to provide upward feedback that they have met the business requirements and the new legislation so they can continue to produce widgets. Management doesn’t care about technology or engineering; they care about the business. You are there to aid them in this, not the other way around.

As my cohort catch has mentioned, your post is a collection of parts of many different models. Although I chose not to break it down to the level he has, you have to be honest and admit that this isn’t really a tutorial, rather, a collection of components fused together and spun from an engineer's point of view. Now, while I find your narcissistically cynical rant entertaining, it once again can be summed up by saying:

Business Requirements + Mandated Requirements = Technical/Policy/Procedure Solutions.

I’m done.