You are still mixing up a management policy (which is normally a bunch of useless platitudes) with an engineering concept that can be used to verify your security architecture. However I agree about the position of IT security in any organisation