What's your favourite application risk assessment framework / methodology which takes care of following four points:
1. Risks on application's underlying assets ( servers, firewalls, other infrastructural elements)
2. Logical risks - previleges, role based access controls, SoD etc
3. Compliance - Licensing, CALs
4. Executive dashboard with graphical risk rating across the above 3 categories.
For other parts you can identify improvements with price tag and loss multiplied by the chance of damage to happen... Easy, maybe no need to bugger the managers...