Hi Christina
Part of Support would also include Audit Season - explaining why the design is a certain way, assisting with interpreting the security and associated risk (there will be a discussion as to why the asterisk is in the role)
Then there is regular security patch each month to review SAP Notes for impacts to security
Each time a new transaction is needed to add to a role you need someone who actually knows how to use SU24 and PFCG properly. This is not fun to cleanup when an inexperienced person has built security. Quite a few places attempt to cut costs by claiming the Functional Consultant will do security for their area. Some Functional guys know security really well but you risk ended up with each area building security their own way and it becoming a nightmare for Service Desk/User Admin to support the system.
You then have Enhancement Packs and Upgrade (transaction SU25 work) and reviewing new security functionality.
Add to Developers - typically don't add security checks to their code unless requested. By the time the program is developed and transaction requested to be added to the role you find your can't adequately restrict the access. Have the Security Expert review the request at the beginning of the process. This happens during a project but also post go-live.
Your authentication if Single Sign-on, etc is used may need ongoing support or expertise in the area.
There's more reason and usually your argument is up against a cost decisions. Security can be seen as a necessary evil. In projects it's one of the last things that gets considered/started and one of the first to be cut back.
Regards
Colleen