I just found an interesting post talking about the failure of IT risk management. Richard Stiennon provides some interesting arguments including a lack of thoughtout methods, the quest for protecting everything, the missing predictive character, and the challenges of assigning value to IT assets. You can find Richards full post here.