Re: Sigh
Security is straightforward (I'm so glad you didn't say simple or easy, cheers!) if its a consideration from the start and there's no interference from management or marketing types with silly ideas.
Let's take this case: a forum for a game. What do we actually need? A username, an email and a password. The first two need to be stored and used but the last can be hashed so even if it leaks its no use anywhere else. Simple, understood and easy to implement.
Then someone from legal points out that you need to confirm an age to comply with something or other. Note that the age doesn't have to be real, just what the user says they are 'cause this is strictly for compliance and arse covering purposes not actual child protection or anything like that. So we start collecting birth dates, flag user as legal or not and dump the original data.
Then someone from marketing has the genius idea that that data would be useful. I've never seen a compelling case beyond "personalisation" by sending an automated happy birthday message which is about as endearing as any automated greeting. So now we have personal information we have to store and the slippery slope begins. Before you know it you are collecting names, addresses, mother's maiden name and inside leg measurement and all on a system that was never intended to store anything confidential.
Been there, wrote the post mortem after it went tits up.