Over the past 20 years there have been a dozen different major theories on how you should implement an application security program. Yet the average number of serious vulnerabilities in web applications today is 28.6, almost exactly what it was in 2003 when the first OWASP Top Ten was released.  The answer is a new modern approach to achieving application security that directly measures security outcomes instead of indirect measurements of processes or teams.