In large organizations, the number of risks opened and managed should be above 500, which is not a large quantity. In fact, visibility into existing risks starts to increase, and improve, when there are more than 500 open issues.
The solution to the challenge of managing issues isn't to have fewer issues.
The solution is to allocate resources, for example to graduates, or recently hired staff.
These are inexpensive professionals who want to develop their careers in AppSec, or they want to get a foot in the company's door. Employing them to manage the open issues is a win-win situation, as they will learn a great deal on the job, and they will meet a lot of key people.
By directing graduate employees or new hires to manage the open issues, developers' time is then free to fix the issues instead of maintaining JIRA.
The maintenance of issues is critical for the JIRA RISK workflow to work, because one of its key properties is that it is always up-to-date and it behaves as a 'source of truth'.
It is vital that risks are accepted and followed up on and that issues are never moved into the developer's backlog where they will be lost forever.
We can't have security RISKs in backlog; issues must either be fixed or accepted.
(from SecDevOps Risk Workflow book, please provide feedback as an GitHub issue)
