efforts to reduce or manage system cyber risk are ad hoc and uncoordinated
Indeed so. "Band-Aid" point fixes for narrowly specific technical problems keep emerging, making the infrastructure ever more complicated. Unfortunately, complexity tends to make things less secure because it increases both the attack surface and opportunities for unforeseen interactions and side effects to occur. That trend also assists in driving constant 'upgrade' churn which keeps everyone on a permanent learning curve - the opposite of good security as thorough familiarity with the idiosyncrasies on one's systems assists their robust management. Furthermore, the growing tendency to replace human decision making and judgement with (inevitably attackable) automation is causing us to lose touch with the adversary at the metal level where it's most important to be clear about what's going on. The result is that we become increasingly reactive, rather than pre-emptively resilient.