I work in schools. In one of them, we had VNC-like vision of every client PC.
We had a wall of displays, and four-to-a-screen sessions of every machine on campus. We never "watched" it - people are even more boring when they are on a computer than in real life - but it was interesting how quickly your brain picked up on something "wrong" just by glancing at it. Because it was a really rough school, the kids played games like "Who can print out porn before IT stop it" and things like that.
And the number of systems online is scary - one school I worked for had boilers controlled by app that included things like pump duty cycle and pressure, and could have caused all kinds of mischief. Access control. CCTV. Digital signage. There's no amount of things that are connected these days.
Even at a (infinitely better) school, there are any number of systems that I remote into all the time. We do put passwords on EVERYTHING though, but you can see how things can be overlooked, but how they become remote-accessible? That's just laziness.
One of the first things I did at my current place was knock off every port-forward except mail and Remote Desktop (because our users use it for everything). I was amazed how much there was. Straight port-forwards to servers, to clients (in the finance office no less!), to the phone system, to the web filter, to lots of internal web services, etc. etc. etc. I replaced it with a Smoothwall that reverse-proxies all the web content, and performs IDS/IPS on all the exposed services (mail, Remote Desktop, etc.). The amount of login attempts and other things it detected in the first week was enough to tell me that I'd done the right thing.
I'd quite like to do something that I've seen online, though. Given that we have a compulsory webfilter already, I think it would be a good idea to have a "wall of images" that go through the filter. As we specifically say the system is for school-use only (staff and pupil), I'm not that concerned about the odd Facebook or whatever popping through but I am concerned about quite what the kids are seeing and looking for, and I think a semi-public (i.e. well-known and visible but able to be turned off) display of every image that is being requested from the filter might reinforce correct use of it. It would wake people up a bit, because I do tell them that "in theory" I can see everything they do even if takes a lot of reconstruction, but they don't seem to care what they go looking for.
People... make sure your gateway is secure. Nothing should be accessible remotely. If you want to do that, use VPN and open ONLY the VPN ports and make sure you log and monitor access to it. And then start realising that even your users can do a port-scan / Bonjour discovery and hit quite a lot of things that you don't want them to. And start passwording and IP-limiting those things.
Hell, even printers. The system where I work, we have NO NEED to ever access a printer by any other protocol than SMB or by any other system than the print server. But those options are all open to everyone by default. Switch them off and use ACL's on your printer shares to control access. Especially if you have billed printing!