I had to give some remote support on a CRM system and the password for the administrator account was pa$$w0rd. I guess the people administrating this systems don't have a clue about what it would mean to loose this asset.
Since I am a MSSQL DBA people automatically assume that I have no clue about linux systems. The other day I got agitated in a meeting because somebody said that linux was not important. I apparently reacted in a way which got the attention of some people because suddenly I got a request to look at a postfix server. When I connected over SSH to the server I had to use an account called administrator and I'll let you get the password ... yep, it was password. I needed root to access some files but my contact was not absolutely sure about the password so I tried my luck and yes, it was password.
Security is not something simple, but some basics like a good password policy and auditing for weak passwords are simple. There are no excuses for these mistakes.