Applications can gain a lot of security by building on top of a lower
layer secure communication substrate, such as that provided by IPsec
or TLS. Such substrates allow the application developer to make
assumptions about the security of the basic communication path, and
have these assumptions be valid. Precisely the sorts of things you
are citing as "bad" can be addressed in this way. Fancier
application security requires some level of customization, perhaps in
an application-specific fashion, as you noted.
I beg to differ. Few applications can use IPsec or TLS authentication
as-is. A few more can get away with using username/password schemes
on top of IPsec or TLS privacy. But neither IPsec nor TLS is anything
resembling a generally applicable authentication solution.