I've been stirring on this topic for a few months now. I often see companies underestimating the amount of time that's needed for security role customization inside of CRM. It's a complex topic as there are many layers to security within Microsoft Dynamics 365. Often security is mismatched until it works with security roles, teams, and business units.
When thinking about security you need to consider the following items:
One of the biggest drivers to managing security properly within Dynamics CRM is that everything is driven off of it's complex security model. Users might have records, charts, dashboards, etc that they can't see because of there security roles. When we run into security issues during development troubleshooting these types of environments become very time consuming.
I hope this makes you ponder a bit more on the security side of things in your existing or next implementation as it's a very important part of every project.