I've been spending a decent amount of time trying to identify the root cause of various high profile hacks happening to companies, and it's pretty surprising how short-sighted or ill-informed these victims are. In virtually all cases, the methods the hackers used to perpetrate their misdeeds are completely secret, or not understood.
Giving those brilliant InfoSec officers the benefit of the doubt, I have to assume they're not ill-informed, but rather short-sighted. I mean, don't they realize how the security community would benefit from the knowledge of how their networks got hacked? Do we really need to get Johnny Law to enforce some silly legislation to share these root causes with the rest of us?
Want to hazard a guess what the root cause is? Think I have a pretty good guess. I recently asked a savvy techy customer how many times per month they have reports of malware infections on their network, and the answer was 100 - per WEEK!