It means security is hard. And yes, we keep finding security issues (in web specs, not just in implementations) due to two different people designing two subsystems and not considering their interactions, or not even knowing about the existence of the other subsystem.

Finding a sane solution to this problem would be wonderful; I haven't thought of one yet.