Vulnerability Assessment Team (VAT) Seals has a list of "somewhat cynical and tongue-in-cheek" security maxims that are nevertheless "essentially correct 80-90% of the time (unfortunately)."
Here are a few examples:
Insider Risk Maxim: Most organizations will ignore or seriously underestimate the threat from insiders.
Troublemaker Maxim: The probability that a security professional has been marginalized by his or her organization is proportional to his/her skill, creativity, knowledge, competence, and eagerness to provide effective security.
Feynman's Maxim: An organization will fear and despise loyal vulnerability assessors and others who point out vulnerabilities or suggest security changes more than malicious adversaries.
Irresponsibility Maxim: It'll often be considered "irresponsible" to point out security vulnerabilities (including the theoretical possibility that they might exist), but you'll rarely be called irresponsible for ignoring or covering them up.
Physical security maxims from Argonne National Laboratory (via Schneier)