It would be great if the IT areas did regular risk assessments, unfortunately though it is just not going to happen, that is what they bring in the auditors to do.

In a previous life I was an IT auditor for an accounting firm and that was our standard work, risk reviews basically.
Generally IT areas see this as something that they don't have time for (and not a priority). The other thing is that by bringing in someone external (from the IT department - it may be external company or an area of the org responsible for auditing) you will get a much more indepenent review of the risks. At times the IT department have an interest in understating risks (or they may not fully understand them) because the higher the risk generally the more work there is for IT to mitigate it.

Now in my IT Security role what we do is for new systems we get the business owners (corporate clients with assistance from IT developers and Admins) to put together a threat risk assessment of the system. We then get them to send it to us in IT security where we go over it to make sure that (in our opinion) it is complete and the ratings are accurate (and we suggest additional controls where applicable). If we are happy with it and there are no glaring holes we then forward it back to the business owners (corporate clients) for signoff because as the "owners" of the system and its data it is really up to them to sign off that they are aware of the residual risks and are happy to accept them.

As for existing systems rather then doing formal regular risk reviews we do more a compliance checking program. We (IT security) have set of "risks" that we want to cover off as part of our control compliance testing and we run that program year round on a schedule - basically this is an audit program.
The other control that helps is that we have a VERY stringent change management process where most changes to the IT environment need to go through our change management comittee where IT Security have a representative. EVERY single change doesn't need to go through change management comittee approval there are standing authorisations (which are approved by Security) that alot of changes can be made under.