Another problem management and admins make is to restrict everyday data that does not need to be restricted. The restrictions become a pain and workers find work-arounds for stuff that does not matter, but then the work-arounds get used on stuff that does matter. Another is enforcing "complex" passwords that humans can't remember so they write them down
Same with physical security. Years ago I was with the boss viewing a building the company was thinking of buying. The server room had RFID access control but the tags we were given were not on the list. Took me less tthan a minute to get in. They had mounted the reader on a plate so I unscrewed that and operated the door release mistakes made were mounting on a plate bypassed the reader anti-tamper (no I'm not saying what it was) and they had made the wiring connectons obvious
Aircraft software - Boeing 737 bug where if you were on a ILS approach on a specfic heading in a number of specific ranges of lat and long ALL FIVE primary flight and navigation displays go blank Fortunatly there were only about a dozen runways on the right heading in the affected locations.
I worked at a place where the original designs had been done by "talented amateurs".
The so-called "motherboard" they designed was really just to interface the real-world stuff with a couple of PCs which did the actual "grunt work".
Although the only intellectual property in them was "public domain" stuff that you could find in a couple of hours perusing the National Semiconductors handbooks, these boards were treated as "top secret"-------it took us forever to talk them into letting us have a schematic.
The silly thing is, the software, which was really good, was the only thing which really needed protection, & although they had so-called security for that, it really sucked--------they lost a laptop once, which had been used in software development!
Apart from that, the physical security sucked--- you could just about break in with a "sharp fingernail!"
Somebody could have got in at night, set up a small CCTV camera looking at the keyboard of one of the desktops, recorded the password keystrokes, came back in the next night, & downloaded everything of interest.
It wouldn't have needed the "Mission Impossible" team--- just any old burglar off the street!
The assembly benches were powered from "daisy-chained" power boards.(O H & S, where were you?).
I would have thought the broad category "security" would include not having the whole place burn down!
I dropped back for a visit about a year after I left.
Some things had changed, the old Boss & his cronies had gone, but the culture remained as crazy as ever.
They had installed a set of surveillance cameras at great expense to keep an eye upon the assembly area (apparently to stop the workers taking notes of the particulars of their magic boards).
The assembly benches were still powered by the daisy -chained power boards, though!