[mrb]

The most shocking revelation IMO is that "less than 10 percent of [RSA's] customers have requested replacement tokens". IOW, everybody knows the entire SecurID system was compromised, yet 90% of its users decided to do nothing about it!

[trotsky]

I believe that is weasely at best, I've been given the impression previously that over 50% of the tokens in active use had been switched out before the public announcement of the free replacements was made. Perhaps they're doing something like counting every company that bought a few for an eval and aren't using them.

[patrickk]

Perhaps some of them got replacements from RSAs competitors? (I'm not an expert in this area, that was my take on it.)

[InclinedPlane]

Shocking perhaps but it shouldn't be terribly surprising. Cargo cult behavior (imitation devoid of knowledge or critical thinking) tends to be the norm rather than the exception. In security as in elsewhere.