"I think the lesson is that you can never leave configuration up to humans.
No, the lesson is, don't expect developers to be good sysadmins - or vice-versa. Security should be done by somebody competent in the field, just as development should be.
"The real lesson... is that by turning security into code, it can be built, tested, and managed in a completely automated fashion. To the maximum extent possible we have to get the humans out of the loop.
And what a fucking nightmare that would be, if security was left up to automation.