Public access websites are different than a corporation's internal network, and should be held to higher security standards due to their visibility and fallout if they do get hacked. After working in IT departments at a few companies I have the feeling that the majority of companies have little to no security prevention, they just expect that nobody will be interesting in hacking their databases. It is so much more profitable to sell data to the Chinese.