Most organizations are very bad at computer security. They don't patch well, and they have short, simple passwords that don't expire. They have dozens to hundreds of people in elevated groups. They don't have a clue who has which permissions in their environment.
Their networks are flat and often wide open to hundreds of contractors, business partners, and vendors. Defenses aren't appropriately prioritized, and they try and fail to accomplish dozens of projects at the same time. My average security audit findings report is well over 100 pages long and often contains dozens and dozens of critical findings.

The link for this article located at InfoWorld is no longer available.