Humans like condensed lists that they can digest in 60 seconds -- this is one of them. Changing behavior with positive security models requires clear activities that should be on CTO and developers checklists.
As a result of recent exchange on the OWASP leaders mailing list, Andrew van der Stock consolidated and the following activities: - Security Architecture (including incorporating agile ideas)
- Use a (more) secure development frameworks and leverage enterprise frameworks (UAG, etc)
- Input validation
- Output Encoding
- Identity: Authentication and Session Management
- Access Control (service / controller, data, URL, function / CSRF, presentation, etc)
- Data Protection (Data at rest, including in cloud)
- Audit, Logging and Error Handling
- Secure Configuration
- Secure Communications (Data in transit)
So instead of the OWASP Top 10 Risks think in a more positive action model. | 
