I just HAD to stick my 2-cents in here. One problem I've seen is a lack of 'terminal servers' with SSH (2) only access. A LOT still use telnet. Telnet and the BSD 'R'-commands should be banned. Another is that nobody sits down with the CEO (president, owner, etc.) and has a discussion about what is the true VALUE of the "stuff" stored on his computer systems. Or the cost to him when these systems are no longer accessible. The goal being to force him/her into a security policy. Which should really limit the "bigshot" access.
The final thing is something an 'old' sysadmin once told me. We were setting root passwords. He grabbed a UNIX book off the shelf, found a chapter or sub-chapter title with six or seven words in it, took the first letter of each word, 'munged' these characters (a=@; l=| e=3, etc.) and stuck the first character of the hostname in front of this string, and the last character of the hostname at the end. He had created 'the same' root password for all machines (easy to remember, especially if you wrote down the chapter title), and at the same time a different root password for EACH machine. I have used this (or a variation) ever since.