The Security Protocols identify basic cryptographic primitives.
Particular applications, such as, say, the Fortezza card, can define protocols for particular combinations by citing the primitives, if applicable. RSAREF, which does not explicitly reveal the session key, would be equivalent to Security/Key-Exchange/RSA followed immediately by Security/Bulk-Cipher/DES.
Other protocols, like ObliviousCreditCardTransfer or SecureFileDownload could be composed similarly.
This technique helps avoid the potential risks of interleaving arbitrary Protocol modules within the sequence of Security-related processing steps.