Many companies, including those who were victims in mass breaches, find it tedious and expensive to keep their systems up to date. The primary problem is that there are vulnerabilities in every system that make them potentially subject to individuals with bad intentions. When Microsoft discovers these issues, they will release patches, but typically only to systems that they still support. Without these patches, hackers jobs become much easier. Even the NSA is now urging you to make sure your system is up to date. The NSA specifically noted that Windows users needed to update their systems. What makes this even more interesting is that the patch actually included older versions of Windows that Microsoft no longer officially supports. Read more about that here. If you don’t have a policy outlining the requirement to update your system, we recommend that you do so as soon as possible.
Also, sometimes, a component within a system has a vulnerability — for instance, a user could unknowingly install a piece of malware on a phone. The phone’s system could be fine–and so too might the system the phone works with–but the vulnerable phone potentially compromises the entire system. Therefore, systematic security has to include how end users treat the equipment they are entrusted with. Most companies probably have policies regarding end use, but clearly the number of breaches that come from phishing attacks suggests that these policies are often either not enforced or not followed. Your policies should include required training, as well as consequences when users do not follow the policies.