Risk Assessment for the Application Development Environment

I was asked to perform a risk assessment for a company. The field of application covers about 100 applications and in different business units. The main task is to evaluate the security controls currently being implemented and to make recommendations after the assessment. Also provide recommendations on preventing leakage of source code and other sensitive information.
I approach it as an organizational level security risk assessment using a framework such as the NIST CSF, while my colleague is thinking more about conducting risk assessment risk assessment. of the SDLC / agile / devops process, which, in my opinion, is not a security risk assessment, but a project-level process risk assessment. I have not yet seen security risk assessment of development methodologies in terms of security.
I want to ask here what is the right way to approach this risk assessment.
I am interested to know