Yes, you are right. But I was not speaking from a "policy" perspective. I was saying essentially what you are trying to say: security is holistic. What I was trying to say, apparently not very well, is that secure code must be based on a secure design. If you hack something together, without explicitly analyzing your design patterns, you have no way to convince yourself that is secure. This is not about policy: it is about sound design. As Peter Neumann once said, "Good system and network architecture is perhaps the most fundamental aspect of any efforts to develop trustworthy systems, irrespective of the particular set of requirements whose satisfaction is necessary." Neumann is Principal Scientist at the Computer Science Laboratory of SRI International, Fellow of the AAAS, ACM, and IEEE, recipient of the ACM Outstanding Contribution Award in 1992, the Electronic Frontier Foundation Pioneer Award in 1996, and the ACM SIGSOFT Outstanding Contribution Award in 1997, an ACM National Lecturer for 16 months during 1969 and 1970, 1997 recipient of the Norbert Wiener Award for excellence in promoting socially responsible use of computing technology, SRI Fellow, and Honorary CISSP (Certified Information Systems Security Professional), awarded by the International Information Systems Security Certification Consortium -- (ISC)^2. I was therefore honored when he wrote the foreword for my book High-Assurance Design.