The problem comes in not having layers, but WHAT those layers do.
Did I say not to use a firewall? Did I say not to use a chroot jail? Did I say not to use selinux?
You are right, I interpreted your words too much. Let us focus on the layers around applications.
What I said was I don't see that the "benefits" of suhosin are worth the negatives to it... There are things that can be done, but I see the path that suhosin has taken as to be much more obscurity than security... It's a good feeling, and makes you feel protected, but in reality doesn't offer up much protection (if any at all). It's the same way with mod_security... It feels good, but what is it really doing?
Which negatives despite the fact that flash-uploader problems. Please refer to specific disadvantages of suhosin.
One BIG reason I don't condone their use, is I see a lot of people slacking on upgrades because "Oh, I have (Insert today's security fad) installed, I'm protected". That is a MUCH bigger problem IMHO...
Again, my $0.02...
Ok. Maybe you can accept another point of view. Joomla! has become very popular. Most users download Joomla! install a template and add content and that's it. If they do not work with Joomla! the version is not updated and it is a matter of time...
.. until they get hacked and cry in the forums.
My point of view is that if they host their projects on my server I can protect my server and my users applications against automated exploits in unpatched apps with suhosin and mod_security. Reality is that users do not update their apps if they do not need new functionality or got hacked or have other issues with the current version. I don't have a research at hand but the number of users who update their software (os, apps, webapps) is likely to be less than 10%. These users do not care or do not even know suhosin or mod_security. That's why I think suhosin or mod_security is mostly used by security aware people who frequently update all their webapps.
Scenario: A new critical vuln is found in Joomla!. A fix is released. Hosters may notice the new release within 1-2 days. But if users do not use joomla.org or other joomla sites frequently it will last some days or weeks until they notice that a new version is around. A few days after the release automated exploit scripts are distributed all over the internet and it is a matter of hours until the first vulnerable installations gets exploited. Users or even admins need at least some days to patch their installations - maybe this is already too late.
That is the reason why imho other security layers are important. They prevent vulnerable apps from beeing hacked until the patch is deployed.
The other problem is that admins and hosters of multiple Joomla! installations are not able or allowed to patch their customers Joomla! installs without a service contract or something else. Another reason why a security layer on top of webapps makes sense. What do you think?
Maybe a update notification will make people aware of updates faster will increase the patch deployment and will be a first step - but it will never solve the issue with the time between release of the new version and the time it takes to get that information and patch the install. Therefore an umbrella on top of webapps makes sense and patching should take place asap. But as said before users who do not update their installs are not security aware at all and even do not know what suhosin or something similar is.
English is not my first language - sorry if I do not take the right words to sound less offensive.