2. Flatly declaring a technology as obsolete and insecure because it is old without discussing nuances trade-offs, or specific risks. (Windows XP has been popular for this)
3. Flatly declaring ANY technology as "secure" or" insecure" without discussing nuances, trade-offs, or specific risks (or what "secure" means in the particular context)
4. Arbitrarily high-risk ratings for nearly any vulnerability or audit exception found. Sometimes I think this done to make the assessors look good (see how badass I am that I found this super-s3kr1t 0-day hole that can pwnzr you?) Of course, this makes the defenders look bad and then they usually push back leading to adversarial cycle of pain that is common to Security Douchanomics.
5. Blindly enforcing best practices as if these one-size fits-all (and in many instances, cargo cult processes) are the answer to the entire world's security ills, regardless of cost or prove effectiveness,
6. Using misleading/confusing graphics or statistics to convey risk metrics to a non-technical audience. My favorite is the vulnerability scan that shows huge bar graphs with counts of "low" vulnerabilities, which usually are things like "server is listening on port 80" and "Scanner has identified site running Apache." But bigger is worser, right? (see #4)
7. Specious security reasoning. My favorite: "If a person has financial problems, they would be very motivated to steal from the company, so we can't hire anyone with bad credit checks." Uh huh, so can we please talk about implementing least privilege then?