"Ignoring everything, except success" is the security issue.
I don't have anything against trying all modules, nor do I think that the "one
succeeding module" is a security issue per se. But ignoring blatant errors,
locked out users, wrong and/or expired passwords, that is a security issue.
May
This is not a security issue. The default PAM stack is *deliberately*
organized such that each module is tried in turn and any one succeeding
authentication module is treated as a success for the whole stack.
If this is not the site policy you want, then you should use pam-auth-
update to change