Hi,
many authorization concepts is definitely an issue for many customers. Unfortunately, I don't think that there is a grand unifying authorization concept that can be applied to all various business applications. I have not seen concept used in SF but I doubt it's the one.
Actually, I was more talking about secure development to minimize vulnerabilities. It seems to me that SAP did not have to face a big crisis as Microsoft where change was initiated by Bill Gates.The question is if that is by having good standards for development or it is just caused by attackers using other means to break into systems and infosec community is not really interested in SAP. These days they seem to be occupied by attacking cars, planes and other IoT devices. I think as usual the reality is somewhere in the middle. I think that is also the original question asked by Chezangla. Should we be worried about security of SAP products, especially HANA? I would say yes but panic is not going to help. So let's focus on stuff like patch management, regular vulnerability scans and so on.
Cheers