It either works on the file system or it doesn't.

Only certain Filesystems actually support it. To the Kernel it is as much a bolt-on as is any of the loadable modules are. It is in the Core Kernel tree. How is that a Bolt-on? You could compile it into the kernel just like filesystem support, *IF* you wanted. Then you have to enable it on the filesystem in question.

Now, Pile-on I can buy. ACLs are on-top of existing UGO stuff.

Now, if you are talking about easy-to-use Point-n-drool... Sure, commercial *NIX have it better off. But would you REALLY call SAM in HPUX a *GOOD* interface for it? Or rather ANY of the Administration tools that commercial *NIX systems have? Hell I'd rather use Linuxconf with a custom module than any of those. Or even Webmin.

One thing Microsoft's stuff hasn't gotten right yet... is letting you into a Directory, then give you full read and execute in a sub-directory, without bleeding through the rights mask and screwing up the parent directory. You have to address it file by file.

Now, speaking of your beloved VMS, yes there is great model of security, Bolted on... but in replacement of other mechanisms... and rules with not just an Iron-Fist... but also a Powered-War-Hammer, as a fallback, has a auto-targetting-never-miss Sniper Rifle with quite few miles of range (real limits unknown). IOW, if you should not even know of the existance of a certain object/file/device... you'll have zero clue about it.