http://screencast.com/t/GNgzT2OAbXj is a profile of sampled requests from a live server. Note the pairs of arrows which show essentially the same call stack, just starting from a different point. And the first stack has some details expanded which the second stack has collapsed.
Looks like lots of opportunities for improvement here. Ming odm at the root of it seems like the slowest part, perhaps optimize that. Avoiding expensive calls may be even easier. E.g. don't validate the ACL info when reading it. Or cache security results better (but safely)