Is verifying that storage is secure tricky or simple?

[carols10cents]

In the section 20.3.4 Insecure Storage, the 2nd paragraph starts with:

Note that this can be more tricky to verify than simply checking the log files or searching for passwords hard-coded into your program.

And the 3rd paragraph starts with:

Testing for insecure storage can be as simple as attempting to access data directly on the database or on the filesystem.

This leaves me confused about whether verifying storage security is tricky or simple overall... I think this section could use a bit of rewording to make the ideas fit together better.

[laboon]

What I meant there was really "straightforward". I re-worded in commit d1a8007