The problem with thinking in terms of "security-critical" and "non-security-critical" to determine where security is 'important', is that adversaries know this too and so what actually happens is that they hack into your "non-security-critical" system and then use that to gain access to the super-secure security-critical one