If the only security you are using is the low level DB security, then that is a problem. Security should be tied to the web application at a higher level, controling which parts of the application the user can access.
DB level security can be a good saftey net, but it doesn't make a good system by itself.
The best systems I have seen work something like this. Each user is mapped to a user class, such as user, manager, or admin. This mapping is done at the application level when the person logs is. This class is used to login to the database, where each class has a set of permissions based on what it needs to access. At the application level this class is used to determine what parts of the application the user can see and access.
Overall this seems the best balance between ease, speed and utility that I have seen.
Jay