In all my experience, every single complex security policy I've seen has very serious issues. Complexity kills it. There's always a scenario somewhere that someone has forgotten about that breaks stuff.
Heck, this even happens with access control systems like PAM. About every 3 months, we hear of a security hole where some distro has managed to ship an ssh policy that makes it possible for root to login remotely without entering a password, provided he does not have a DSA key (don't believe my word, read bugtraq!). There is no model of complex security authentication systems. There is no tool that allows people to configure this kind of stuff properly, *and check the results*. Not just write documents, but actually verify that *every case* makes sense. Consider the combinatorial complexity of that. Consider real information systems, where people either have ten passwords to remember, or they use some account that's not there, or there is some temporal incongruity between what should be and what is. (Tivoli is probably the closest there is to that in the proprietary world). In the end, you want simple security. If you need ACLs, then you probably fucked up your design, and decided to add an architectural band-aid to cater over the holes of the broken design. That said, ACLs and mandatory access control make for great security theater (see Bruce Schneier's website if you don't get the reference). It's the kind of expertise that allows consulting business to make a living in security IT. Not much actual security, though.
