In regards to port security, I have seen companies (or more commonly government agencies) go down the road of specifically defining the "secure MACs" for each port and only allowing those MACs. This might be OK for server networks, but for access switches for general users it quickly becomes such an administrative nightmare the admins quickly give it up or look for a real NAC solution. Using port security against CAM table exhaustion attacks by specifying some maximum dynamically learned number is not a bad idea though. I would add you can set the number pretty high depending on port count and max support CAM table entries for your switch and still achieve security against that attack.

A layer two security measure I use quite a bit but you don't mention (although generally only in server access layers, not general user) are private vlans. It takes some planning since you must allocate "blocks" of ports to a pvlan once configured on most platforms, but its proven invaluable in many situations.