The Security was actually good and still good on later NTs...
But there were three HUGE problems.
By default there was no Ordinary User account created, only the Admin account.
People didn't write applications properly so they could be installed by Admin and used by User. This especially was an issue from NT3.51 when people starting to use the Workstation product and applications written by WFWG / Win95 developers.
Only with PROPERLY configured permissions on NTFS. Out of the box the permissions on directories not set to the idea.
The Token based scheme and ACLs was very powerful for people that bothered to use it properly. The Problem was that folks treated it like WFWG / Win9x (and increasingly MS themselves from Win98). Other often ignored features of serious value:
Named pipes (can't be created on Win9x, but even DOS clients can connector them)
Using files as Arrays (sort of persistent virtual memory)
Streams in Files (a little like Apple Resource Forks).
The problem was that most people never bothered to learn how to configure it or how it worked as 1/10th as much as a Linux/UNIX admin/User. Eventually this applied to MS too, which is why they did REALLY STUPID stuff (GDI to Kernel in NT4.0), gratuitous moving stuff around (W2K, XP, Vista/W7, Win8) for no good reason. Buggy Explorer. Stupid defaults on Share and Device names and security.
So the BIGGEST problem is the install defaults. 2nd Biggest was similarity to WFWG & Win9x. Win9X should NEVER have been released. It and Win98 helped degrade NT4.0 Win2K, XP, Vista/Win7 and Win8 to becoming ever more bloated, unreliable, less secure and more broken.
NT4.0 major security & reliability flaw was GDI moved to Kernel top make video 10% faster. Stupidity given how fast PC performance was improving 1995 to 1996.
I did have NT3.5 on a 386DX-16 MHz with 6M of RAM. Worked fine as a file server. NT4.0 was fine with Internet Proxy (wingate), Mdaemon for Mail, MS-SQL server, File & Printer server etc in 20M RAM on a 486.
So NT3.1 wasn't "bloated" or "Slow" for a 32 bit server, nor even was NT4.0.
NT 4.0 ran on Alpha, PPC, MIPS and 64bit Alpha as well as x86. It had Clustering (developed by DEC) from 1998/1999 that could be implemented really cheaply with two ordinary Servers, SCSI controllers with two channels, two external storage shelves.
Where did MS go wrong? Concentrating in eye candy instead of real suitability and REALLY badly done installer Wizards with BAD silent defaults. STILL. Why is EVERY service on by default?