One of the problems with security architecture is that it is not amenable to absolute measurements. Because of the different sizes and complexities of projects, a measure such as the number of assessments performed is like comparing apples to oranges to bananas to mangoes to tomatoes. And really, how can you count the produce from a single plant and use that quantity to calculate the success of your entire garden? These are not comparable.
A poor measurement is the number of requirements written. A project that adheres to organizational standards will require few to no requirements. The security architect has done his or her job properly in this case. Adherence to standards is to be encouraged. My guess is you don’t want your security architects to believe that achieving success is a matter of writing requirements. If you do, you may get a lot of meaningless requirements or even impossible requirements that projects can’t fulfill. Bad idea. But I’ve seen it proposed due to the lack of useful measures of success.
Instead, let me pose a couple of approaches that may help?