A system should have certain properties (but not others). It should do certain things (but not others). It should be handled (or interacted with) in certain ways by certain parties (who should not be allowed to do things differently) while an authoritative party enforces this state of affairs by means of policy.
All this is subject to change without notice due to changing factors such as regulations, architecture or risk.
Functional, non functional or derived - no wonder security requirements are elusive.