The media world in late 2011 was roiled by the spectacle of the News Corp. phone hacking scandal, in which it came out that multiple newspapers in Rupert Murdoch's British media empire broke into the voicemails of celebrities and crime victims in order to get media scoops and sometimes engage in a little light blackmail. Less well publicized was the method used to achieve this seemingly high-tech coup: investigators who had the target's contact info simply called up the number their mobile phone provider set up to retrieve voicemail remotely, then entered some guesses as to what the victim's PIN might be. Many were fairly obvious -- in fact, many were simply the default that came with the account.
The lesson: people will, if given the chance, pick dumb passwords. Have policies that force people to pick the least dumb passwords possible, and force them to change those passwords on a semi-regular basis.
Paranoid sysadmins will keep their OS patches up to date, of course. Windows in particular has a reputation as a leaky ship, and so tech staffers -- particularly tech staffers who may have been in part responsible for picking Windows as the OS of choice -- are generally good at keeping all those patches up to date.
The problem is that a lot of those most easily hacked vulnerabilities aren't in the operating system; they're in the applications that run within the OS. Just as an example, check out this list, put out by SANS in 2009, of applications that were problematic at that point. What's at the very top? Oh, just a text converter for WordPad, which you probably thought was about the most innocuous program on your computer. Also on the list is Java, which, as Mac users unhappily learned, can open up all kinds of holes on its own.