Administrators
Administrators probably violate security the most. So much of their work encompasses this that to put firm security measures in place would restrict their actions to such an extent that they'd be left with no work to do while they wait for security authorization. This is also not feasible since most people would prefer problems be taken care of before they're even aware of them. If the router has hung on a message in someone's database, the administrator can either fill out a form requesting security to get access, or they can go in and deal with it.

I'm pretty sure most people in the company would rather their mail not be halted while authority is being obtained. Think of administrators as firefighters. If they're putting out a fire in an apartment building, do they knock before entering an apartment? They have to do whatever it takes to get things running smoothly again.

Developers
Developers usually violate security measures by shortcutting procedures. We have a workflow process that goes A, B, C. It's stuck on B, and the developer goes in and forces it to C. If anyone else did this, we would scream, but developers do that stuff all the time. Another very important thing about developers is that anything anyone can do in a Notes environment, a developer can do. I've proven this to skeptical administrators on numerous occasions.

Notes works on a distributed authority system. If Person A presses a button, it will use the authority of Person A. If Person B presses the same button, it may do something different because of their different levels of authority. This is a good thing. However, you don't always have to show people the buttons.

In a past life, I had worked alongside IBM on a project. They had a Notes developer, and we used to argue about everything (Hi, Nancy). One day I sent her the usual email asking her to lunch for another argue-fest. When she opened it, unbeknownst to her, it created an email to me and cc'd herself that congratulated me on my brilliance as a person and a developer, and that she was wrong for questioning my statements and that she would hereafter be paying for all our lunches. While this was just a joke, strictly speaking it was a violation of security. I could have just as easily composed a letter to her boss saying what a bozo she felt he was. Or I could have made myself manager of her mail database and read all her mail. I even could have made the original message delete itself to remove the evidence.

The point is, you should not give out developer clients to non-developers. There's a tendency to quiet power-users by giving them a developer client. If they have No Access to every database in your company but can still send Notes mail, they can effectively give themselves access to anything. Developer clients should be kept in a briefcase, handcuffed to the wrist of your CIO. There's no effective way of limiting the access of a developer because of the distributed authority model.

The solution
There isn't much to do about administrators and developers breaking security. It's part of their jobs, and that's not going to change soon. The most important thing you can do is hire people you can trust. Hard and fast security limitations aren't very effective because you're always encountering problems that weren't covered in those procedures. So instead of creating a 200 page security handbook detailing everything administrators can and can't do, just make sure you use people with some integrity. While there are very few positions in a company where it's okay to have unscrupulous people working, Notes positions are very sensitive due to their ability to get at otherwise secured data.