Regularly 'vulnerability' reports are send about logged on admin users being
able to do 'harmful' things in the CMSMS backend.

Although those reports are usually not accepted as vulnerabilities it may be
worth to look at the option for a sort of secure mode.
This could be a config setting, which e.g. disables (the adding/editing of)
UDT's, limits allowed filetypes to be uploaded etc.

Food for thought.