(from Software Quality Book)
One of the challenges of the JIRA RISK workflow is managing and maintaining the opened issues. This can be a considerable amount of work, especially when there are 200 or more issues.
Note that, in large organizations, the number of risks opened and managed should be above 500, which is not a lot, and in fact, is the level when visibility into existing risks really starts to happen.
The solution isn't to have less issues.
The solution to help improve and manage these issues is to allocate resources, for example to graduates, or recently hired staff.
These are inexpensive professionals that want to go into app sec, or just want the job to get a foot in the door at the company. It's one of those easy, win-win situations which will allow them to learn massively, meet a lot of key people and really get their heads around what is going on.
This will mean that the developers can actually spend time fixing the issues instead of maintaining JIRA.
The maintenance of issues is critical for the JIRA RISK workflow to work, because one of its key properties is that it is up to date and that it behaves as a 'source of truth'.
It is key that risks are accepted, followed up on, and issues never moved into the dev's backlog (where they will be lost forever).
We can't have security RISKs in backlog; either issues are being fixed or they are being accepted.