I think it's a first step. It makes it idiot-proof.

While not applicable every situation, it does handle 90+% of all applications. Since the userID would be the first parameter, that does cover database security, in addition to the application role-based security.

The performance would not be an issue in nearly all applications. Optimization is something to discuss afterwards. It makes application development very rapid and very simple too.