"Astrisk is a great product (I use it at home), but I'm not going to recommend it for 5000 seat deployment, where if there are problems I can't find find fixes for, I have to blow the dust off of my C compiler to (try in vain probably) to fix. If I run into a problem with a Cisco deployment, I get support from someone that will write code fixes if necessary to fix my problem and get the system to work the way it was promissed"

I don't see any logic in this statement. Digium is a company who too has developers who can fix a problem. Being the code is GPL, means there are plenty of people who can actually look at the code and fix a problem.

SCCP is proprietary which means that most likely entities will never choose it over something as widely deployed as SIP. SIP just allows a lot more flexibility wouldn't you think? Not being tied to a specific vendor usually allows that.

There are a whole lot of VOIP providers out there that have more than 5000 customers and most of them support SIP and believe it or not are most using Asterisk. While not all of them may be perfect, I don't experience any dropped calls with the ones I use.

In the end, I don't think of risk management in the way that is stated. Risk management is rather a process of planning to reduce the number of risks. While theories about probable difficulties are part of risk management, they aren't specific to a specific resource and problems can result from any deployment.

While you may feel most comfortable with using a Cisco product, comfort level is not risk management.