Security is a paramount feature of any modern CMS. Drupal has a well defined authentication and RBAC (role based access control) system limiting the scope of what users can or cannot do. Soon we will even have PBAC (policy based access control) in Drupal core. But what about securing other things, like API tokens, SSL certificates or secrets that are used to authenticate with external services that enable features that require authorization?
Out of the box, all configuration data is exported to configuration files. Drupal is not aware by default what values are sensitive or secure by nature – what that means are that with add-on modules that collect API keys or authorization, those values could find their way into your configuration/database and code repository which poses a security risk of them leaking, potentially. You are only as secure as your weakest link, but fortunately this is easily solved in Drupal with the Key module.