What I see is a schism between IT planning/procurement and IT security. A purely hypothetical and in no way related to my Agency example:

“Sure, you can have progressive tool and functionality, but let me break it with several thousand layers of redundant, burdensome, box-checking security controls so that the resulting tool will suck and fail. That way, I can claim victory and progress and get kudos from the press and OMB, while you, dear user, are no closer to actually being able to do the thing you are seeking to do <insert maniacal laughter here>.”

My favorite IT paradox is having unique log-ons for every single dingle application that we use, and then procuring single sign on software that allow me to log into them all automatically. Really? REALLY? Is that not ironic to anyone but me?

On the serious side, I would LOVE to see a benchmarking report on implementation of NIST security controls that ALSO gives end-user satisfaction ratings. If our job is to balance info access, availability and security, we need to balance the incentives and repercussions related to all three – not just the security side – in an integrated way.