> Do you know why the reason why FB was designed like this,

Because originally verifying users was done by OS.
Current behaviour was introduced to support Windows.

> and why the
> security is not included in each DB?
> My problem with this is that should someone get hold of the DB, they can
> access it easily with their own security FDB.

Firebird is open source, everybody can compile version of server
that do not verify passwords. Thus storing passwords directly
into DB will not increase security at all.

> I also don't like the fact that I have to deploy the security.fdb with my
> app. What happens if the user should overwrite an
> existing security.fdb with a new one?

Users are not managed by replacing security database,
but by using standard methods, see
http://www.volny.cz/iprenosil/interbase/ip_ib_users.htm

Ivan