For some reason I cringe every time I say the phrase "minimize risk." Primarily, this is because I think it is extremely rare for people to work to minimize risk unconditionally, and so one person's version of minimizing risk is actually different from others. This is strange until you realize that we always manage risk within a set of constraints – the resources we can allocate to the process. People think they are minimizing risk when really they are optimizing it.

The notion of risk optimization is not an oxymoron, it is a recognition that there are constraints around our ability to minimize risk. We aren't trying to get risk to its lowest point, we are reducing risk based on the amount of available resources we can allocate to do so. Optimizing risk in this way allows for the different levels of risk aversion and takes into account the huge variances in security budgets.