Sorry, I didn't make myself clear there. Under-specified security properties. Although they (and TLS, honestly) do a better job than others, in their protocol documentation they really don't go to any lengths to describe what actual security the protocol provides - just that it is "secure". This makes verifying these protocols nigh impossible - and usually you end up with the analyst having to reverse-engineer what security properties they think the designers wanted the protocol to ensure.