That is why two of my areas of focus has always been to:
1) involve relevant stakeholders (get inspiration on the "how" with the power-interest grid by Eden & Ackerman, 1998) in security risk management, even though it takes time and you have to accept that you will not look as efficient to sr. management as you could - in the long run, you'll have a much greater impact. Remember that "effect = involvement x quality" and if you have to change how people work - involvement is key.
2) prioritize implementing the mitigating measures you have evaluated as worthwhile during in the security risk assessments. It is a trap to get deeply fascinated by the colours of your heat maps and details of your risk register that you tend to forget what it's all about - implementing measures that impact the level of risk your colleagues (& customers?) are facing. It is the basic discipline in business "Project Management" that will change things "where the metal meets the meat" or in business language - where you meet your customers' needs.
To keep it short; put effort into identifying and implementing the mitigating measures that support your organisation and prioritise the involvement of relevant stakeholders.
The author is the CEO & Founder of "Human Risks" - an online platform for security risk management where identification of mitigating measures, management and involvement is in focus. Read more on www.humanrisks.com