The AES round function for instance is not the most optimal, just
   altering add round key (Transposition of AES Key Schedule) can
   significantly improve security. While cryptanalyzing one cipher is hard
   enough, cryptoanalyzing any minor change in construction would be very
   difficult. Times have changed since the only good cipher was DES, and
   cryptographers were examining alternative DES constructions such as
   Ladder-DES proposed on sci.crypt. It was a good thing that the
   Threefish team had to justify their design decisions since it was very
   hard to prove security for an ARX cipher.
   It still becomes an open question as to whether current knowledge is
   being applied most optimally.
   Just how much additional security does a tweakable block cipher
   provide? Would Madryga even be secure under a tweak construction?
   Would a CBC-MAC be immune to Simon’s algorithm if it was truncated?
   Wouldn't for wide block encryption, instead of Bear and Lion, be better
   to just use an envelope MAC over the plaintext and use half of the MAC
   output as the encryption key and the other half as the MAC? Actually
   ZFS does something similar.... A search for "zfs" on iacr doesn't
   reveal anything.
   Could the Simon cipher use a stronger 3 to 1 function? Reuse the same
   function for the key schedule?
   Just how many NSA key schedules did Bruce Schneier see? Should be about
   four. He's impressed with all four of them. Impressive.