- Default Permit
Also known as "on by default". This one is huge, and it alone is why the phrase "Windows security" was such an oxymoron for so long. The good news is that Microsoft's new policy of "off by default" that kicked off with Windows Server 2003 is really working.
- Enumerating Badness
This is why blacklists are, and always will be, a bad idea. They're OK in helper roles for spot fixes, but as a primary means of defense, they are fatally flawed.
- Penetrate and Patch
Security starts from the inside, not the outside. No amount of patching will fix a fundamentally bad security design. Should you be patching-- or rearchitecting?
- Hacking is Cool
It is interesting that society considers spammers "sleazy con artists" yet hackers are "whiz kids". I think it has a lot to do with the financial motivations behind the crime. Maybe as hacking becomes more strongly associated with flat-out stealing, this will change.
- Educating Users
A security system that fails to assume users are fallible and weak by default is destined to fail spectacularly. Education, at least when used as security spackle, doesn't work.
- Action is Better than Inaction
You can always recognize the pioneers from all the arrows in their backs. Progress is good, but careful progress is even better. Always do your homework before jumping on any bandwagon.
While we're on the topic of security, TristanK has an interesting rant on keyloggers. I think it's a myth that you can protect yourself from the client PC anyway-- the client is always suspect. That is, until client PCs start looking a lot more like Xbox 360, where you have to solder a modchip on the motherboard to run custom software.