> We know SSLv2 is insecure. It's been on the bad-boy list for many years. So why do people still have it configured?
I would reckon most of these aren't just web servers where even your local bobby tables web dev can disable SSLv2 in Apache. But appliances, admin interfaces, vCenter servers, iDRACs, NetScalers and who knows what else that have been left exposed by half-wits, never been patched, and never will be patched because support has elapsed and firmware can't be found and etc.