I would offer this footnote: saying "security is a process" is not specific enough. While that aphorism captures the essence that the work is ongoing, it omits any mention of what the process actually involves-- managing risks. Specifically, clarifying risks, identifying vulnerabilities, and taking appropriate action to mitigate threats.

update: I also want to add that any security plan worth having around has the proactive steps I mentioned but doesn't stop until it also includes incident detection, incident response, and backup and recovery planning.