An interesting metric I've been tracking for some years is the annual score card on the security status of US Government departments published by the US House of Representatives Committee on Government Oversight. This process measures the compliance of departments against a set of standards laid down by the Federal Information Security Management Act (FISMA). The latest version released last week shows a marked improvement from a poor baseline. Homeland Security, for example, has raised its score from a miserable "F" to a mediocre "D". But this is a step in the right direction and should be applauded.
Not surprisingly, the measures used are controversial. Critics claim it's bureaucratic, placing far too much emphasis on documented plans and processes rather than on the actual vulnerability status of networks. Controls such as documented risk assessments and educational processes might not guarantee tight security. But they do make a big difference. In practice, I've noted a strong correlation between the levels of management controls implemented by service managers and the vulnerability of their platforms to technical attack. That's why I'm a supporter of control standards and certification processes. The FISMA standards used might need some refinement but the overall approach is correct.