Computer system security is a lot more complicated than giving everyone a username and password. In real systems, people play different roles (sometimes several per person) and each function of a system can only be performed by certain roles. That would be good if it were all, but it is also the case that a person can have a different role depending on the data context. In one project, a user might be the project owner, capable of taking any action, but in another project, they might only be responsible for a small area, or have read-only access for whatever reason. So every action needs to be checked for the right person in the right role in the right context.
Mokalus of Borg
PS - The point is that there are a thousand ways to do security wrong.
PPS - And only a few ways to do it right.