My huge company with many brands has 100s of web sites. We have a few classifications of sites, and each classification has it's own process. In some cases (e.g. credit cards involved), it MUST be deployed & operated by a 3rd party vendor (different than the developer). In other cases, a single (approved) developer can do everything him/herself, as long as it's coordinated with the brand manager and corporate PR and has no features corporate privacy or security teams would object to and is hosted at an approved provider.
In some cases, a seemingly simple new facebook page needs LOTS of input from LOTS of groups, and needs to follow a pretty complex process of who does what. In other cases, it's a trivial task that can be done in a morning with emails between 3 people.
The key is to think up front about the different classifications. What are the legal/privacy/security/pr risks? In our case, risks not just for the brand, but all brands in the company. What can/can't be done in the different classifications? What processes need to be followed for each? What common components/services can be used/deployed without a security or privacy risk? After that, each site can be managed with the quickest and cheapest process? We would have 1/2 the sites and 1/4 of the facebook presence if every site had to follow the same processes (or we'd have lots of privacy, security, and operations issues).
While credit card sites are operated differently, all sites and facebook pages are operated by the same 2 vendors with the same SLAs. We worked very closely with the operations companies to come up with the different deployment processes so that we can have both the quick/cheap and more complex types of sites with the same 24x7 SLAs. We also worked with our legal, privacy, security, and PR teams to make sure they are all satisfied that the processes are acceptable.