RSnake has put up a really great write-up entitled, Death by a 1000 cuts. It describes how a series of minor security issues can be combined to form a very serious attack.

I spent most of my time dealing with security operational issues, where sometimes these sorts of minor issues are where I have to make concessions to get the big stuff done. I think this is a really great example that we security people need to take to developers and it operational staff to show them why defense-in-depth is necessary.