they are rarely audited and maintained by dedicated IT security staff, and configurations are often in the default state, including default administrator passwords," he added.
Even in those instances where it isn't the default state, there tends to be a problem with homogenous deployments. For example, in each store the first register is POS01, the second is POS02, etc. So once you've cracked one store all the rest in the chain follow. I was talking with a friend who is part of the dedicated support team for one franchise here in the US. For various reasons that's exactly the way they have to deploy the hardware. Right now they use Windows Update to try to secure stuff. But you have the standard SME problems. Often times the only "real" computer in the store is the one that is also acting as the server for the POS system. So it of course has full browser capabilities and possibly more than one browser installed. He didn't think they had issues with needing to support Java/Flash/Reader but it's still a bit of a mess and difficult to automate reporting in such a way that you can easily audit patching. And yes, they're still running XP while waiting for the vendor to release a Win 7 edition and dreading how the vendor is going to royally fuck it up even though they know they need it. I think he supports about 300 POS terminals across 60 or so stores, team size is 3 and it's nearly 24/7/365 support expectations.