I don't have TopSecret or RACF experience, but I'll take a shot at this. ACF2 and TopSecret are designed on the principle of 'security by default'. In other words if there is no access rule to validate against, then access is prevented. RACF is the opposite; basically you must write an access rule to deny access to a computing resource. Which approach is 'better' will most likely be debated for some time to come. The merits of each method depend on the type of environment you are administering. Should development be supported at the cost of security? Do developers require unfettered access to create, modify, and delete dataset names, and resources? On the flip side, do you want to exercise greater control over your environment and prevent access to anything/everything that has not been subject to whatever methodology (e.g. change management) is used to ensure a stable computing environment? I don't mean to imply that one security application is more secure than another, just that each requires a different approach when designing a security architecture. Acquisitions of companies by CA in years gone by have added to the catalog of products that they support. I cannot speak as to why they still sell both products and have not encouraged or even forced a migration one way or the other. Bottom line, every company wants to grow market share. In my opinion, whether they dominate the market by selling one product or many is irrelevant.
#TopSecret