I've worked with OS/390 in the banking industry as it is the backend to alot of the ATM/EFTPOS applications that don't get seen.

The bank I worked for had RACF implemented beautifully, the system was tight as a drum so to speak.

The permissions were set from our HQ and operators from all around the country with the lowest access level were able to get in and monitor all the relevant process's with ease.

We never had a breach in the 3 years that I worked on it, so although this isn't definitive I think its a good start.

Hope this adds a little to the discussion.

Cheers,
DOHC