Security is not always just about hardware and software
As Khabi said, it's the user as well. Yay social engineering!
The server admin has the most responsibility for not only locking down his/her network, but instructing the users on what and what not to do.
Remember, the safest box is one that isn't powered up!