It turns out that the vast bulk of the federal information security money is spent on documenting these systems, not on securing or testing them against attacks. Most [agencies] are spending so much on the paperwork exercises that they don't have a lot of money left over to fix the problems they've identified.