Do you mean that role based access control (RBAC) should be replaced by something else? Or that just the specific RBAC models in use are broken?

I personally think the, perhaps confusingly named, capability based security models are the way of The Future.