I teach operating system security. The two main points I make are:
1) Understand all layers of your systems - you can't build a secure environment on insecure foundations
2) Understand all your users - you can't build a secure system without your users agreeing to your security