[Karunamon]

Thanks for the details.

Regarding insecurity: I don't give much credence to a "history of serious problems". Any (and I do mean any) application which deals with arbitrary input and data types has had a history of particularly nasty security holes.

You'd eliminate every major web browser here too. I see a large number of CVEs as a good thing, as that means there are eyes on the code and the exploits are getting found and fixed. The alternative is worse; it means there are bugs and they aren't being found.

Survivor bias :)

Regarding complexity: Security/authentication tools are complex, and they kind of have to be given the number of requirements, ciphers, data types, etc. There is no solution to this problem.

Regarding attack targeting: Any repository used for authentication will be a DoS/hacking target. Again, it's nature of the beast, it's a high value target and always will be.

Regarding SSO/SAML/oauth: Those have to authenticate against something, yes? What is that "something" in this case that makes it a true alternative?