Let's take a few examples:
- Top 20 OpenSSH Server Best Security Practices
- 5 Things That Will Mess Up Your Backups -- and How to Avoid Them
- Slideshow: The 10 Most Common Database Vulnerabilities
- OWASP Top 10 for 2010
- The 10 dumbest mistakes network managers make
That's a question of risk management (of course) but, putting away big words like these, you'd simply wonder why there are 5, 10 or 20 top measures and not 2, 6, or 11. The measures in these articles are gathered not to provide a level of security, or a level of security maturity, but to make for a long, publishable list. And that you should implement only the top 3 measures, or only measures number 2, 4 and 5 is left up to you. Not mentioning that you may not implement 2, 4 and 5 in this order but may very well begin with number 4 or 5.
What these articles lack is an identification of the precise risks addressed by these measures and the location of these measures on a security maturity scale.
Let's add an illustration to this (nasty) comment: Friends recently asked me to attempt penetration on a website that they wanted to secure. What I found was:
- an easy access to htpasswd file,
- obvious passwords that John the Ripper guessed in no time and
- cleartext credentials to access the database.
That's not to say that OWASP's work (or anyone's listed above) is not good. It is, and useful if used correctly. It's just to say that I'd prefer to see more "Beginner level 7 security measures for XYZ servers" or "What to do if XXX is critical for your company: From step 1 to step 4" articles.