I have a new paper in the February "For Good Measure" column in USENIX ;login written with Dan Geer called: "Margin of Safety or Speculation? Measuring Security Book Value"
The goal of this paper is to show a simple metric that compares the risk your system is taking on (as measured by what you spend on app development, databases and so on) versus what you are investing to defend the system. The higher the former and the lower the latter, means less margin of safety.
The metric is useful within the context of one project or to compare across a range of projects and business units. Of course, its just one metric. Margin of safety is silent on some important areas like control efficacy, however we find it a useful starting point for analyzing security investment.
If you've tried something along these lines please share your feedback in the comments.