The biggest vulnerability
It is called PEBKAC
Despite all the publicity about zero-day exploits, a big percentage of breaches (44 per cent) come from vulnerabilities which are two to four years old. Server misconfigurations were the number one vulnerability, according to the latest edition of HP’s annual Cyber Risk Report, which concludes that well-known issues posed the …
Not just Jr Admins. There are Sr Admins and even System Architects out there who know better but cut corners. Sometimes the decisions are mostly out of their hands (CxOs who won't cough up the bucks or demand that vendors fix known problems in must use software), other times it's not (default root passwords left unchanged for 5+ years, too simple passwords on administrative level accounts so everyone can remember and use it).
It's the Dunning-Kruger effect.
Nah they would rather hire a bunch of H1B's with no true skills because they cost less. Until they get smashed all red faced that one competent person they have left discovers these people left some huge holes letting the whole world in, but hey they were cheap am I right?
Discover a new and virtually unknown vulnerability or exercise a more sophisticated and quite exclusive capability, and one can earn billions rather than settling for peanuts ...... http://flashcritic.com/great-cyber-bank-heist-1-billion-theft-highlights-danger-posed-financial-cyber-threats/
HP says,
"Threats can be minimised with a well-thought-out patching strategy, regular penetration testing, layered security defences, threat intelligence sharing and a strategy for introducing new technologies."
That all sounds like locking the stables after the proverbial horse has already bolted.
As necessary as the items in the above list from HP are, they seem to be rather studiously ignoring the real first line of threat minimization.
How about suggesting that people run good code. Isn't it far better to write good code rather than install and patch?
It is easier to build the system secure (or correct) than to try to retrofit security onto a deployed system.
So . . . despite endless discussions about what to do about security and no can do it well, no one is smart enough to do it well, no one's operating system is any good, no one gets paid enough to do it well and the dumbest person behind the keyboard can mess it up anyway in a blink of an eye.