One of the biggest is Lazy administration of machines/servers. Examples are
1. "Permit root logins yes", esp on publically accessible machines AND having root password easy guessable (length less than 8-10 characters)
2. no firewall or default firewall policy is ACCEPT
3. Not patching servers/machines time to time.