Is there a guide to teach these reluctant sysadmins how to evaluate, plan, and choose between all these different methods ?

For me, I find the hardest part of securing systems are usually to decide what is good enough for the current situation.