That's not how security should work. The default should be no-access, so that missing a line of code or making a small mistake leads to too much restriction rather than not enough. That would also help the developer notice the mistake, since the feature wouldn't work.
Agreed, but you'd be hard-pressed to find any site that has that as the standard (much less a social site, with so many inter-weaving connections), that isn't crammed down their throat by laws. Even then it's still hard to get (and keep) it correct 100% of the time, and stands in the way of making changes and new features, which are what keep social sites alive and competitive.