In many ways this reminds me of OWASP SAMM, which is a framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. For anyone interested in having data driven, defined way to measure and scale security I am strongly advising to have a look at this project
https://owasp.org/www-project-samm/