We have to think about these differently, a low energy threat can be defeated with a quality implementation of a checklist, a medium energy threat through the application of expert thinking frameworks like NIST or risk whereas a higher energy threat takes a more responsive approach such as the cyber equivalent of the gaze heuristic for hunting teams. It means checklists, risk frameworks and hunting are all equally useful and switching from compliance to risk to cyber hunting and back again is a waste of focus, we should be using all of these as appropriate depending on the threats we face.
I believe very strongly, that every team has some ratio of “checklists vs risks” approach. My writing, lately, errs very strongly towards the analytical risk path. It’s my belief that this is where the best practice is formed that ultimately ends up on a checklist after it has survived as a hypothesis long enough.
As an example, there are not very many established standards for enterprise cold storage of cryptocurrency. Many organizations have built / are building it from scratch with a cognitive heavy approach. Mainly because requirements differ so drastically. In twenty years or so, there may be more established policy approaches that follow a runbook, or even so far as, a regulation, and it will likely satisfy a lot of common design patterns as a result.
I think this sort of lifecycle of “checklists vs risks” is related to your comment.