Intuitively one would be inclined to think that improving organizational security capabilities would increase overall organizational security maturity. As maturity increases, better controls/risk mitigations would be designed and implemented, leading to lower residual risk levels. This would suggest a negative correlation between maturity and risk.
Assume there is a maturity scale of 1 to 5 and a risk scale of 0 to 100.
Does anybody know how risk and maturity would relate and/or how much correlation would be reasonable to expect?