I have to admit being lax about security as far as developers go. Of course part of this comes from the fact that I have always worked in small shops (Max 5 developers including myself) and we have all had some level of interaction with the SQL Servers so we took the easy way out and were all sysadmin. I'm not saying that this is the best way to do things, but it is how it was done.

For regular users I am with Andy in that I rarely grant direct table access and rarely use the fixed database roles. One area I did use the datareader role was for a specific linked server account we had setup. It was only used internally and used within stored procedures to access data across servers.