Assuming its not actually one of their own employees/consultants helping re-infect the systems maybe one or more of these fairly common situations applies:
* Using Cisco routers with default configurations and firmware that hasn't been updated in years...
* Using unencrypted, plain text authentication for systems instead of public key auth...
* No password strength standards (some employees predictably using "911" or "123456" for their passwords)
* Employees allowed to re-use the same passwords after the supposed "clean sweep"
* Windows filesharing services
* Wireless networking at all, or possibly using WEP or even completely open
* Microsoft office documents from outside sources
* HP printers, or really any network/wifi enabled printers
* That one old Windows XP box nobody is allowed to reformat clean because its "mission critical"
* Employees are allowed to bring in their own laptops/cellphones and other usb/bluetooth/wifi enabled devices
Did I miss anything? Anyone else seen this crap enough times to know the intrusion vector is probably nothing highly advanced or original?