[herghost]

I feel like your second paragraph is getting the focus of everyone's ire, whilst your first point is being missed (and is a much better one):

>I have to say that by the time anyone has infosec written down and categorized it is obsolete

It's a worthy goal for CyBoK to try to write this down, but having skimmed over the AppSec one it immediately feels like it's something that will get finished one day, and then people will get round to reading it one day by which point it will be little more than an academic curiosity.

My first impression is that it is broadly an academic exercise and not a practical one. This type of knowledge needs to be documented in more dynamic format if it is to stand any chance of being relevant, let alone remaining relevant. It needs the funding and the community support, but on top of academics cogitating over it, it needs real-world, real-time input, maintenance, and updates.