The NPM feature where it immediately tells you about vulnerabilities in your dependency tree whenever you run it is a great example of subtle feature that actually does improve security. Just getting that message has gotten me to update dependencies in all sorts of old projects lately.