A lot of security concerns are not from the software themselves, but from the configuration surrounding the infrastructure. For example, consider a setup that has dozens or hundreds of instances, each with their own internal firewall configurations. Without the use of the configuration management software such as Puppet or Chef or a very fine process regarding this configuration, each instance may end up with a slightly different set of rules from the next.

Add to this example that the infrastructure itself may have similar configuration such as the AWS-provided Security Groups. With these many instances, it could get out of control very quickly if care is not taken from the beginning or is iterated over repeatedly. ...