The little disagreement here is that in my opinion the primary point of contact should by the "most down-strem" entity, with the NCC's Member contact to be used as an escalation path, if needed.
I agree that this is superior in practice but only if that "most down-stream" contact is READY, WILLING and ABLE to act upon problem reports. It would be wise for a registration policy to allow and encourage the assignees to register such a contact, but the policy can only make it mandatory for LIRs to register such a contact. I think that if RIPE ever did make a sensible and workable policy like this, then the LIRs would put some effort into making sure that their customers have contacts who are READY, WILLING and ABLE to act upon problem reports. But they are closer to those customers and will know where it makes sense to do this and where it does not.
The rational for this model is: the entity/role/group that is the NCC's member and is managing addres space may not be in aposition to get involved in operational or security aspects. This responsibility may rest with a third party, either within the same corporation or even somewhere else.
If RIPE is going to require a working abuse contact then it should point to the group that has this responsibility, not to the group that deals with address management. That is why I stress that the abuse contact must be READY, WILLING and ABLE to act upon problem reports. --Michael Dillon