RHEL 5 Why pam_tally have to precede any lines of same module-type with a control flag of sufficient.

Is a real security gap if for RHEL 5 pam_tally do not precede any lines of same module-type with a control flag of sufficient. But I have this configuration in order to protect system users
account required pam_unix.so
account sufficient pam_succeed_if.so uid 500 quiet
account required pam_permit.so
account required pam_tally.so
What security violations scenario may allow this?
Thank you