One of the more complex parts of Symfony is probably the Security and everything that comes with it. It's not only rather big, it's also quite flexible with lots of different concepts which often confuse developers. Often enough when developers implement a security system for their website, they call it Authentication or Authorization yet often don't exactly know what they are exactly supposed to call it.
One quote I always refer to is "if you can't explain it simply you don't understand it well enough" and I think it's rather fitting for most cases. I think I've reached a point where I can explain it well enough, so bare with me!