I'm usually ranting here about the usage of statistics, risk metrics and other quantitative approaches (as ROI) to support security decisions.