oh boy, what a mess.
The fact of the matter is... ACLs are hard to get right. It's even harder when you have various roles that can be checked against the ACL (logged in user, batch job, logged in user impersonating someone, etc.) . But in the end, complexity is what's scary, not some feature that depends on complexity.
This sounds similar to different distros of linux. Some are security focused where nothing is allowed until it is explicitly allowed. Other distros try to be more "user-friendly" and pretty much everything is open.
Starting from a wide open starting point and then trying to batten down the hatches afterwards does seem to the harder way to do it, but that's exactly where FB is. They wanted everything open, and then had to decide to start limiting that data. FB was designed as a place to share info. If you posted it, you wanted to share it. I totally get that mentality. However, as devs, I can imagine that we have all built something that the end users use in a way not envisioned, and we've probably all had "you're holding it wrong" lines of thinking. Once you get to that point, you can alienate users by telling them to stop doing it that way or embrace what's happening, and then make it work for them. Seems like the perfect situation to where bugs can get introduced.