I am split between B and C but going with C. Making sure changes are not implemented without authorization is the the primary purpose of the whole change management process and everyone involved. The question specifically asks what the PRIMARY objective of IT security is in the process and to me that is not necessarily about work authorization but making sure the behavior of the controls we have in place are not influenced by the change.

The PRIMARY objective of information security involvement in the change management process is to reduce the likelihood of control failure. By having information security involved in the change management process, it can ensure that changes are implemented in a controlled and secure manner, minimizing the risk of unexpected outcomes or failures that could result in security breaches or other negative impacts. This involves assessing the security impact of proposed changes, ensuring that proper security controls are in place, and verifying that the changes have been implemented as planned.

objective is to reduce the failure.

CISM Exam Prep Guide (2nd ed.), p159: "For effective change management, it is important that the security team be apprised of every major change. It is recommended to include representation from the security team on the change control board. This will ensure that security aspects are considered for any change." So C seems most correct to me here, although I'm also torn between B and C.

C is most suitable

C for me

A good change management process includes a segregation between development, testing and operational. In the testing phase you check all requirements and security controls you want to have.

C for me

I go for A, changes can introduce new vulnerabilities even without compromise to existing controls

C. To reduce the likelihood of control failure

The primary objective of information security involvement in the change management process is to meet obligations for regulatory and legal compliance because the change management process must ensure that changes to the information systems are made in accordance with legal and regulatory requirements. This helps to maintain the confidentiality, integrity, and availability of sensitive information, and reduces the risk of data breaches, unauthorized access, and other security incidents. By ensuring that changes are made in a controlled and authorized manner, information security can help organizations to meet their obligations under various regulations, such as the General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standard (PCI DSS).