If folks have security issues with physical datacenter access and they are afraid some rogue element will bring in a server and plugin into their SAN and steal their data? Tell them Mc Hammer called and asked for his pants back :-)
There is absolutely no reason to do port based zoning. None ...unless you are a consultant and charge on per zone configuration :-)
I agree 100%; there are a few things, that mandate pwwn zoning: eg. device-alias and NPV.
Reg. security: with port-based zoning: miscable a server, and the zoning is ok; the only feature which avoids the disaster is masking/mapping on the storage device. (btw. would this not also apply to a rogue server, unless you also fake the pwwn ?).