Re: My guess at which of the four is done
Can confirm, I've done all of these since coming in post in the past 5 years as ISO.
Patching - easily done, requires a lot of work and in some cases organising maintenance windows with departments but it's all low impact at worse (usually) and when things to wrong IT can handle it themselves.
Application whitelisting - we ran tools to check what was in use prior to switching to this and when we did it was OK 99.9% of the time but we had a few, usually high level folks kicking off because their daft software no longer worked, despite them having left their laptop at home for 3 months whilst we evaluated what was in use.
OS versions - more difficult as some of our equipment needs XP, so eventually we decided to air-gap those machines until they could get the equipment updated.
Removal of admin rights - this was the hardest as it was all political and much of the resistance came from within our own IT department surprisingly. Many applications "couldn't run without admin rights" which we then had to go on to prove they could, if our IT management hadn't been told to get it done by a certain date this would never have happened. This one really needed the backing of our chief exec and she was prepared to go nuclear with IT management if it didn't happen.
Bottom line if senior management don't cover you, none of this will really happen. Buck stops at the top after all.