Coming from Duo Security to RSA SecurID i've learned a few things that i find missing in RSA SecurID.
1. Allow to assign multiple UserIDs one token. This is currently implemented thought User Alias it works for two users but it's kinda "sketchy".
2. Allow to protect multiple resources in one server. Let's say you have PAM installed on RHEL and you created Agent for it in AM and you allow only UnixAdmins to login (SSH, sudo). Then you install one web application on that same server and you want to protect it also with SecurID but you cannot add another agent with same IP to protect different resource on server and for different uses.
3. Above thing also happens with ASA. You have your VPN users protected with SecurID and ASA management access with RADIUS. You created RADIUS with associated AGENT. BUT you have no way to separate which groups are allowed to login through standard native AGENT and RADIUS.
These are a few RSA SecurID short comings i saw migrated from Duo Security.