pedro writes: most people don't think about the inherent security cost of using abstractions.
I wrote an LtU story, The irreducible physicality of security properties; key point related to abstraction: "Security is non-modular: Programming languages and software engineering practices can ensure that software possesses properties helpful to security, but the properties are only meaningful in the context of a strategy to ensure a computer system satisfies its security policy".