Quite a few security issues can be handled by the server hosting the web application. Outside of that, it is certainly best to know where access is allowed and what else can be gained with that access. Cryptography is a necessity when dealing with sensitive information, and the respective class doesn't make it overly easy to meet industrial encryption requirements. Possible, but not the kind of thing you'd do just because. If 2008 made some of those functions a bit easier to play with, it might encourage more security among websites.