Vulnerability Assessment Team (VAT) Seals has a list of "somewhat cynical and tongue-in-cheek" security maxims that are nevertheless "essentially correct 80-90% of the time (unfortunately)."
Here are a few examples:
Insider Risk Maxim: Most organizations will ignore or seriously underestimate the threat from insiders.
Troublemaker Maxim: The probability that a security professional has been marginalized by his or her organization is proportional to his/her skill, creativity, knowledge, competence, and eagerness to provide effective security.
Feynman's Maxim: An organization will fear and despise loyal vulnerability assessors and others who point out vulnerabilities or suggest security changes more than malicious adversaries.
Irresponsibility Maxim: It'll often be considered "irresponsible" to point out security vulnerabilities (including the theoretical possibility that they might exist), but you'll rarely be called irresponsible for ignoring or covering them up.