Of course...
...it is possible to measure 'IT Security'.
You can measure compliance with standards. You can measure 'effectiveness' at year-end retrospectively against some measure like total cost of incidents/total security spend. You can do a lot of other things. I have spent a career in HMG and Industry doing just that, including lecturing on the subject.
A better question, however, is whether 'measuring' some aspect of 'security' is a fundamentally good idea. Security is not easily defined (unless you do it glibly), but it is obviously a process, not a state, and as much of an art as a science.
Art may certainly be 'appreciated' and 'criticised'. But would 'measuring art' help a lot?
I suspect what you are thinking of doing is 'selling' security to business. This certainly needs to be done properly - scare tactics do it very badly. But if you are thinking of doing this primarily through Benthamite measurement I suggest that you will run into difficulties - just as if you had tried to sell art, honour or beauty to customers in a purely utilitarian manner....
icon - security geek has left the building...