alt Hacker News> Every time I've tried to deploy non-trivial software systems to highly secure setups it's been a tedious nightmare.
I don't know exactly which "secure setups" you are talking about, but the false equivalency between security and complexity is mostly from security theater. If you start with insecure systems and then do extra things to make them secure, then that additional complexity interacts with the thing you are trying to do. That's how we got into the mess with SE Linux, and intercepting syscalls, and firewalls, and all these other additional things that add complexity in order to claw back as much security as possible. It doesn't have to be that way and it's just an issue of knowing how.
If you start with security (meaning isolation) then passing resource capabilities in and out of the isolation boundary is no more complex than configuring the application to use the resources in the first place.
Look at how people have responded to Rust. On the one hand, the learning curve for memory safety (with lifetimes and the borrow checker) can feel exhausting when moving from something like Ruby. But once you internalize the rules, you're generally cooking without it getting in your way and experiencing the benefits naturally.
Writing secure systems feels similar. If you're trying to back port something, as you said, it can be a pain in the ass. That includes an engineer's default behavior when building something new.