It might seem like more potential for security holes having Application-level users, but it's really easy to misconfigure the web server and ruin the web server level authentication. Especially if the web server's configuration file format is the one that sets the ease of management standard - at the bottom end, that is.
As others have pointed out, the inability to logout of HTTP sessions without closing all your browser windows really sucks.
$h=$ENV{HOME};my@q=split/\n\n/,`cat $h/.quotes`;$s="$h/."
."signature";$t=`cat $s`;print$t,"\n",$q[rand($#q)],"\n";