I think half the issue is that we've got lazy developers who circumvent security in the name of repid development. I can't tell you how many developers I've worked with who run code as a user with sysadmin rights and when we, as DBA's, try to deny this, they go around and over our heads and get some high manager to bypass the best practices. I've even seen this from purchased applications.