Here is a talk by Russ Thomas that doesn't get nearly the focus it should - unintended consequences.
There is a lot of good ideas alluded to in the slides. Anti Pattern 8 - perfect is the enemy of the good, for example neatly summarizes Brad Hill's defense of HTML5 argument.
There seems to be two Anti Patterns numbered 10, regardless they are both among the most important
10a - Complexity arises from controls. Major problem if you are only applying controls and slavishly following an auditor checklist. Or consider Veracode's finding (link?) that security vendors have worse security in their products than any other software including HR, CRM and other systems
10b - low knowledge, high confidence. Often wrong, never in doubt - unfortunately applies to the majority of the industry. Firewalls and SSL anyone?
The presentation ends with a set of prescriptions to which I would add one. An important part of unintended consequences is that they are only obvious after the fact. Assuming failure up front is a good exercise, try to think through how the system works in limp mode. You have an HSM but its only in DC, what happens, say, to Seattle when DC is down?