Hey Sundar,
First - let me link you to a question I answered yesterday, for a few notes on
Spring Security vs other frameworks .
Now - let's look at complexity.
The way I look at complexity is - always in the scope of what I'm trying to do.
Let me unpack that. Complexity that hinders you getting your scenario implemented is bad. Complexity that gets out of the way and is only there if you need it - that's not necessarily bad.
So, if the design of the framework is done intelligently - then
you should be able to implement simple scenarios without a lot of complexity, and only go into more complex, low level things if you have very custom, non-standard needs.
And in the case of Spring Security, that's mostly the case.
Hope that helps.
Cheers,
Eugen.