James Governer and Alan have written posts about ECM and security. The problem that many of these products implement their own security model instead of using external security products is not limited to just ECM products. I’ve seen some portal products also that have their own security model.
Most products in this space actually claim that they can integrate with external security products. However, when you dig deep, you will find out that this integration is limited to authentication. It’s quite easy to use an external LDAP that stores userid and password against which authentication can be done. But when it comes to authorization, these products need fine grained permissioning mechanism (Alan gives an example of 57 different permission levels!). One needs to store permissions for different assets, sometimes even for different fields of an asset, on different versions of assets and so on and in that sense, the security mechanism is quite closely coupled with the content management system (or portal as the case may be).
Having said this, I think it would be a good idea to decouple features like security and externalize them. But many of the product vendors use this as a differentiator and previous experience shows that it is easier said than done to get vendors agree on using common standards.