no system is perfect, and options add complexity.
if Oauth 2.0 is soo bad, why would big-name players on the web use it?
and if there is a flaw, Oauth 2.1 or Oauth 3.0 would likely fix it.
i think it's a lot riskier to roll your own security than use an established system, especially if you are just starting out.
(2013/5) HTML5:90.2% MOB:14% IE7:0.5% IE8:8.6% IE9:9.8% IE10:10%