Comprehensive and Detailed Explanation (250–350 words)
===========
According to EC-Council CCISO documentation, the most common root cause of high volumes of security exceptions is poor alignment between the security program and the organization’s business operations.
CCISO materials emphasize that when security controls do not align with business workflows, objectives, or risk tolerance, business units are forced to request exceptions to operate effectively. This signals a governance failure, not user resistance.
Weak audit support (Option A) affects oversight, not exception volume. Business resistance (Option B) is an oversimplification rejected by CCISO governance principles. Lack of executive presence (Option C) may exacerbate the issue, but the underlying cause remains misalignment.
CCISO training stresses that effective security programs are risk-based, business-aware, and adaptable. High exception rates are a leading indicator that controls are impractical, poorly designed, or not mapped to business needs.
Therefore, Option D is the correct answer.
