My favorite? The number of systems Moore was able to access because of the number of routers that still had their default passwords (the ones pre-installed by the manufacturer) "guarding" the gate.
(I.e., you buy a router from XYZRouterCo and the password is something like XYZRouterCo007.)
Where this matters for small and midsize businesses is both clear -- your IT department and tech staff are probably more on top of bonehead oversights like this than bigbiz security bureaucracies, but if they're not you'd better make sure they are -- and less so. How many of your vendors, customers, ISPs and other points-of-contact are making exactly this sort of entry-level (in more than one sense) mistake?
While the failure to re-set (and then regularly re-configure -- network passwords is a system administrator/tech staff fumble, its persistence is a management problem. If the boss doesn't know what the tech staff is doing -- or not doing -- then not-yet-caught guys like Moore can continue to get a relatively free pass into essentially unprotected networks.
In other words, re-setting and regularly changing network passwords is IT's job -- but it's the boss's responsibility to make sure it gets done.