I don't think that there are too many people that would argue with their number one.

As far as what I would add, I don't know that I would necessarily add anything, but I would reword number six. I think that waiting until you have a problem to realize that you need security is a HUGE management failure. I know that in my company, security was seen as something that I (as the SysAdmin) did for fun. It wasn't until we got hit with Nimda that they sent me to some training, bought me a bunch of books, and got me a Safari subscription.