Fairly good principles, I think. To (2), I'd add technical debt and potential "hard" liability due to security lapses. Regarding (4), I'd want a better elaboration on how to handle dependencies. To (23), I'd add input in addition to state.