Amen! It's much easier to go after the big news-making headlines (at least with a policy) then to look at all the little details that make an environment more secure.

Our IT sec folks have a practice of creating policy for everything, then leaving it up to other groups to enforce. That way, if there's a breach they can say "well, that's against policy...not our fault they didn't follow it."