Security isn't found in what you've bought or what patches are applied. It's in the process design.
Remember school from long ago and that nasty amalgamation of bits and pieces plopped onto your plate? If you asked, the drudge behind the case mumbled something like, "Meatloaf".
Some time back I was visiting an organization implementing Internet connectivity for systems, for their suppliers and partners, as well as a security program as an after thought.
Everyone was busy. Everyone pitched in so as to keep progress going. In this environment, determining who did what, who should do what, was impossible. Buckets of group credentials were used, and I think I was the only one who _didn't_ know the enable password.
While this sounds egalitarian and great teaming, it was a security nightmare. It was something I like to call 'Duty-Loaf', in honor of the foul gloppy stuff that once lined a platter.
I know, people with a background in system administration (like me), might complain this blog is too ivory tower, too security-picky. I'm not sure if that organization's systems ever got better. With everyone counting on everyone else picking up the missed work, planning was impossible, some would say unnecessary.
But as you look to your organization's processes and find no type of line through anything, instead, a process diagram that resembles a sneeze more than a line, it's important to remember that Duty-Loaf designs are impossible to debug, improve, or to secure if everyone is doing whatever they want, including the unintended visitors to your network.