Lot of what you say rings true. I am involved in a project right now where the team members are trying to do the right thing from a development point of view. However the bureaucracy of centralized information security folks and paperwork based approach of the quality and regulatory folks makes it painful. Hence reaching out to this forum to see if anyone has a good experience of doing it right.