[jacquesm]

> I'm sure they also had a credential rotation policy, hired 3rd party pentesters, had a vulnerability management program, etc

Why are you so sure? The vast majority of the companies out there is terribly sloppy when it comes to security and does not have any of those. I doubt the effectiveness of credential rotation by the way, that's mostly outdated advice.

Six letter passwords without any complexity requirements are still pretty common ('123456'), as is unsalted MD5 for password hashes, IDS is a term that usually requires explanation and if there has been a 3rd party pentest it usually was long ago.

Some industries are better than other (fintech, medical), but there too you find terrible examples.

I look at another company every week and the state of security at most of them is usually fairly bad with a few exceptions where things are mostly in order. Note that we do not do a security audit, this is just a general look at company affairs and security is only a very small part, just enough to tell whether or not they take it serious or not and how big the risk of an embarrassing hack is, and what the damage would be if one took place.