Security is imperfect
Just like anything else, all security mechanisms are inherently flawed, the only thing that separates good security from bad security is the degree of work an attacker has to do in order to by-pass it. A security mechanism cannot be perfect, but it has to be at least good enough for the purpose.
Security is not some “self contained” entity
But a chain of mechanisms, governed by a set of practices, used (and abused) by an unpredictable number of unknown users (and abusers). Any secure system is just as secure as its weakest link. When that link fails, security is compromised.
Security has to be enforced
Users (and some webmasters, for that matter) often don’t care at all about the security of their online affairs, until it’s breached. People get annoyed when confronted with security checks and requirements. Online security compliance does not come natural and has to be enforced, not only for your users, but for your system, also.
Do not assume safety
You must never assume your system is safe just because this or that scenario is highly unlikely to happen. If it can happen, however low the odds, it will happen at some point. You can count on mankind’s general ill will for that. Be prepared with counter-measures, forget assumptions.