The folly of coders
I put bad programming in this category because without it, users wouldn't have anything to be tempted by. If someone can read a document, they can read all of a document, whether or not it has a form element. They can do this by looking at the document properties. Users can create personal views and see documents not listed in any view. They can view the HTML source in a browser and see all the fields and their values. This is a particularly big hole as users might see such things as:

Coding ACL (Access Control List) and logic into the form means a user can see it and potentially use it. While the concept of client processing is fine and dandy, never push your security to the client. That should all be server-side, and invisible by any means to the end-user. You may pay for it a little with reduced efficiency, but you gain a system that can't easily be compromised. Users can make local copies of databases and give themselves manager access. Enforce a consistent ACL across all replicas and make Default and Anonymous access No Access for any database even remotely secured.

Welcome to the government
Notes has great security. It's fantastic. It's totally amazing! In fact, it's so good that most developers and administrators don't use the security features at all because it's such a hassle. A small trick can increase your local security a great deal. The government has set levels of security clearance. If you have Classified access, you can see any document that's secured as Classified. It doesn't matter if it's tank plans or plans to assassinate a California Notes developer for publishing articles on hacking. Creating just three encryption keys--Classified, Secret, and Top Secret--can add a lot to your security.

You may say, "But gee, 20% of our company has one of those keys." But that leaves 80% who don't. You've solved the majority of your snoopy-user issues right there. Also, if you make a big deal about it: "We're going to give you Classified access!" People tend to take it more seriously and help you keep your system intact. If you do everything behind the scenes, such as granting access, users feel no ownership and are often sloppy in dealing with security.

I have seen the enemy
A few weeks ago, I sent an email on the status of a project to a number of people. One of the cc. recipients responded that I had sent a copy by accident to a vice president who had a name similar to the person I had meant to send it to. I checked to see if the V.P. was in, and since she wasn't yet, I walked over to my Notes administrator and asked him to remove the email from her mail database. Yes, by far the greatest number of security violations are committed by Notes administrators and developers.

This is a tricky situation, indeed. Most developers and administrators violate security so often that they don't even think about it. What I mean by violate security is: access, manipulate, and sometimes read information that they normally have no business dealing with.