The prioritization of your production security program always depends on your organization. What resources you have, how critical your products are to the organization, and what are the most effective ways to discover, remediate, and respond to vulnerabilities in your products. For instance, the prioritization will be different for technology organizations where Engineering and Product are core to the business compared to non-technology organizations were Engineering is a support function for the business.

Generally, I recommend starting with Relationships, Design/Code Review, and Vulnerability Discovery to get good situational awareness of how vulnerable and mature code, processes, and people are at the organization.