Among other things, Bruce Schneier is famous for saying that "security is a process". His point wasn't about process so much as products. Customers buy security products (like anti-virus, firewalls, and IPS) thinking they are a magic pill that will stop hackers. They aren't a magic pill, of course, their efficacy depends a lot on how these products are used, the "process".
But, "process" isn't a magic pill, either. Process cannot make up for product deficiencies Process cannot make up for the lack of skills and education in IT organizations. Indeed, the under-skilled use process to mask their own inadequacies. Process often becomes it's own worst enemy, sucking up resources to feed itself rather than making forward progress toward a goal.
Process has become a cliché: what value the idea once had has been destroyed by its overuse.
I mention this because recently I've seen a bunch of articles/posts attacking "process" and I wanted to jump on the bandwagon. The new phrase is now "security is not a process". Though of course, once we finally convince people the value of this idea, it, too, will have become a useless cliché.
Update: Note the excellent comment below from @JPGoldberg on why he uses this cliché. I think the point is that even though something has become a cliché doesn't mean it's lost all value when used correctly.