The simple fact that UN*X's DAC uses multi-actioned commands means that rights propigation is impossible to predict as rights become transitive, this makes it impossible to calculate the security of most objects. Even NT answers this issue while still using a single level system, but utilizing more finely grained commands and the deny ability.
Not only this but nearly all of the UN*X systems that have been retrofit as multi-level systems are still considered too weak to actually be used in a multi-level secure production environment.
UN*X's huge mistake was not switching to ideally the harrison-ruzzo-ullman security model or at the very least the graham-denning model. Their failure to do this has resulted in their systems from being shunned for all medium to high security environments, which is a shame because in many regards UN*X is very useable.

Though, don't even get me started on the superuser account... ick ick ick.

catch