One of the interesting things about security is that despite the fact that it is universally considered a Good Thing, it's probably impossible to define in in positive terms. The closest you get to a meaningful definition is to say security is an absence of nasty problems. To most employees, job security means they won't be fired. To nations, security means absence of war and conflict (or at least, inflicting it on someone else rather than having it inflicted on themselves). To computer users and adminstrators, security means their data cannot be spied on, and their machine cannot be used for illegal software trading, etc.
Another interesting notion of security is that it usually implies hostile intent. For instance, guns not going off by accident is a matter of safety. Every deranged idiot being able to purchase an AK-47 and mowing down his neighbors is a security issue (or a constitutional right, depending on where you live).
Similarly, making sure that you don't lose your company's data when your hard disk fails is simply good IT practice. On the other hand, it is definitely a security issue if there's a bug in the operating system that allows anybody with an Internet connection to crash your main server, or if an otherwise secure network service has been misconfigured to grant unauthenticated access to the machine's resources.
To most network and system administrators, the answer to problems like this is instant: we need a firewall. Firewalls are nice things: they block the bad guys from doing bad things to our valuable and potentially vulnerable systems, by scanning all network packets and only admitting legitimate traffic. I think virtually every company connected to the Internet today has a firewall; and even private Internet users increasingly start to use this type of technology.
However, I would be surprised if more than half of all firewalls are configured properly. Which puts quite a large number of people back in square one.
Don't get me wrong; I do think firewalls are a very good thing. But I am afraid there is a tendency to believe they're a sort of magic cloak that makes you invulnerable. I once had an email conversation with a software engineer from a large company about a piece of software they had written and wanted us to include in our Linux product. When I pointed out a number of security flaws in it, he said: ``Well, don't bother. People will only run this sort of application in a firewalled environment, anyway.''
Which is a very one-sided approach to security, but I believe it is a fairly common one. Of course, administrative measures are an important ingredient to a secure IT infrastructure. But if the software deployed inside your trusted network is totally insecure, the firewall becomes a single point of failure. The same is true of all other mechanisms. You can build a sophisticated PKI (Public Key Infrastructure), and require all employees to authenticate themselves using smart cards. But if the users run insecure software after they have authenticated with your PKI, their accounts could be subverted nevertheless.