Rafal has a good post on the challenges security folks/sdl folks have when presenting their findings to business folks.
"The presentation the next day kicked off as expected... we presented our executive summary, the methodology of our product validation and moved on to the specific findings. In this case, since there was so much wrong I stripped out only the Critical and Highly Important issues and bundled the rest into a "non-mission-critical" bucket for the sake of brevity. My goal was to move through that into our recommendations section where we would propose what the customer should do next, including building a security validation program and starting to integrate into the SDL; let's just say I never got that far...
As soon as I hit the Criticals section I noticed something wrong. Immediately the faces of the folks in the room started to look... befuddled I think is the correct word. Some got that glazed-over look I get when my wife tries to explain the complex relationships of her friends and such... they were overwhelmed, lost, and confused. I stopped and asked if there were questions... no one raised their hand or spoke up so I continued. I got about 1/2 way through the critical issues section when the CISO, hand half-raised, looked at me and said "This is way too much ... I just don't think we can handle it". Naturally I thought he was talking about the depth of the presentation... or the mountain of information I was giving them... nope - he was referring to the number of things that we had found that were wrong with the site."
This is probably fair more common than you think.