Seems as applicable now as ever (modulo KeyKOS, of course):
The failure to solve the general protection problem by prior architectures (descriptor based or not) has had serious consequences. It has meant, for example, that system software modules must be set apart and explicitly protected from application programs; the former cannot be permitted to *trust* the integrity of in-bount pointer arguments such as descriptors. Thie dispartiy has, in turn, made it imptactical and unsage to permit users the freedom to substitute their own versions of selected modules. A frequent consequence has been that much software within a system tends to be relegated to a small number of very large (monolithic) *protection domains*. This consequence, in turn, leads to high software maintenance costs.
Elliott I. Organick A Programmer's View of the Intel 432 System
I'ld note as an aside that the 432 had not equivalent to factories, and therefore suggest that it didn't really solve the problem either.
Jonathan