I really like the idea of Security being part of the overall IT service warranty. Just as IT is responsible for providing a service level agreement on performance and availability, security should be part of the contract between IT and the business.
It is difficult for IT to guarantee any specific outcome in terms of security, and so it would be natural for the security portion of the service level agreement to be along the lines of "We will provide the following security activities/services for this business service." However, that doesn't necessarily help the business unit understand that amount of risk that they may be accepting. This means that a strong dialog is required between InfoSec, IT Operations, and the business regarding security on each business service. Having the security component of the service level would start that conversation.