This tends to be the recommended architecture (with variants) that most enterprise applications follow and most the experts (roughly) recommend:
Much of the focus in the blogosphere seems to generally accept this and focus on various aspects of this model.
ORM discussions like nHibernate and Linq to Entities focus on Data Access Logic (from the above diagram).
POX, REST, WCF, Web Services, et al. deal with various aspects of the Service Layer (again, from the above diagram).
BDD focusses on the Entities (the diagram) driving development of the system.
WF (man I wish they’d made it ‘WWF’… for another time) deals with Business Workflows (diagram.. redundant?).
Database Security is fairly well documented for each flavor of database out there. WCF is a great step in the right direction in documenting security implementations for the Service Interfaces. There’s not a lot out there on securing the user interface components (how many times have you been asked to implement different views based on user roles or credentials), but that seems to be more specific to the solution being developed.
It seems like there’s a LOT of work being invested in vetting out the true "best practice" in each of these areas. The area of the complete application picture that I feel tends to be most neglected is deployment. This may be just my not looking in the right areas, but here’s what I’ve seen:
ClickOnce is one technology addressing deploying an application. Tools to build MSI’s, like InstallShield and the Visual Studio SetUp project, are painful, complicated and painful! In some cases, your SDLC can influence your deployment strategy.
Agile favors frequent, lower risk releases. Some ISVs benefit from this deployment (Anti-virus software). Some just serve to irritate the users (Windows Update), even if you know the updates are necessary. Older flavors of RUP is more like Waterfall in that they favor less frequent, but higher risk releases.
Your market can influence how you deploy your solution. If you’re developing an application for internal use, people tend to like the latest and greatest asap. If you’re developing a retail application, users don’t tend to like having version 9 come out just because one year has passed since version 8 was release when there are no real improvements and is used only as a method to no longer support the older versions (see Roxio software).
This aspect of software development also has the nasty side-issue of licensing (for all applications save applications intended for internal use). I still love the rant that Carl Franklin goes on regarding Adobe’s licensing during episode 179 of the DotNetRocks podcast. Again, the sheer number of license flavors (even just look at the derivatives of GPL), is a clear indication that there is no "best practice" or recommendation out there for this component of deployment. Again, though, this may be something that is very specific to each solution.
Here’s the point: Risk management indicates that you should focus on the unknowns first. I’d say that this is likley the biggest unknown and is also likely the most neglected; likely because it’s hard to find the "right" way to do it.