It's always been a problem, and I see it hasn't changed. One of the things I remember from leaving one place a decade ago was just how many systems I had access to as a function of my job as a system admin, and the number of user accounts with that - including support vendor accounts. Even though I was ethical enough to tell them what I had access to, and that they needed to change all those passwords, it turned out that they didn't. I learned that when I was recalled as a contractor, and it turned out I didn't have to get a set of new passwords for the system, about half of the old ones still worked. Even worse, the ones that still worked were ones that gave me root access.