From my experience, risk analysis or threat modelling for most software is done in approximately.. 1 of the customers I've dealt with. And they had a big bankroll, with bigger compliance/regulations/security reqs than most (incl typical F&I and HealthCare orgs).

n = 1 and I don't live in NA or EU, but security isn't even an afterthought.