I once had to debug a contract where a malicious user could DOS a payout function by making a single address in the payees array fail, effectively freezing funds for everyone. Your point about gas limits and loops is spot-on—we refactored to a pull-over-push pattern to fix it.