Yep, stealing a security card is always a good approach, but as an employee I'd rather have someone steal my card than my retina ;-). I think we can agree that security is not simple in any case, and I just like having the weaknesses up front where they are known and can be monitored.
On that point, the bit you added about keeping measures secret (security through obscurity) is again something I'm not comfortable with, as assuming the bad guys don't know something is a horrible mistake. Secrecy as part of a security tool (e.g. keeping your password secret) is fine and necessary, but as a tool in itself it is not.
I'd like to be able to assign to an luser