Yet GDPR is so vague that most companies I talk to about it have each taken very different things from it. "Except as required for security purposes" is a big exception.
It's not as big exception taking into account that the requirements are not about pieces of data that you can get and store, but about particular uses of this data.
If you previously had some private data in your core databases that you used for all kinds of things, finding an exception that allows you to store this data for security purposes doesn't allow you to continue business as usual - it won't permit you to use it for marketing purposes, for example, just as an exception that allows you to require and store some data that's needed to execute the service won't permit you to sell that data to third parties as was common practice earlier - for that you'll need to (try to, likely unsuccessfully) obtain the user's consent.
However, the law could still certainly be shortened and simplified. The GDPR is written in plain English.