Ross Anderson presents a survey of ATM failures in Why Cryptosystems Fail (1993). Here are some major takeaways:

• If the deployment environment changes, your assumptions may stop holding.
• Revisit the goals of your system after deployment.
• Build with your adversary’s real abilities in mind.
• Do a postmortem study to determine why the cryptosystem failed. (Aside: share the results.)
• Having good cryptographic building blocks does not mean that what you build with them will be secure. Relatedly, you cannot just give these building blocks to regular (non-expert) people and expect them to build something useful.