Joomla has announced availability of new ACL: http://is.gd/iA5B and they seem pretty excited about it. Is that something for Drupal community to be jealous of?

If you come from a Java/J2EE background the clear answer is: NO (yes, in capital letters). You have to actually suffer from a structured, strict ACL to really appreciate the simplicity of a security system like that of Drupal.

Now, you may argue that Drupal security is slightly over-simplistic and too code-oriented (makes us, the developers happy) for “business” use.

OK, but it does not have to be a “hierarchical ACL” or strings-based security. A flexible, rules-based security system may be the answer?

Zed Shaw, of the RoR world, has some very interesting things to say on the subject:
http://vimeo.com/2723800