Because very few SMTP servers *require* the use of SSL. Some will use SSL if available, but fall back to plain text otherwise, and also usually not check the certificate. Many mail servers still don't enable SSL at all and plain text email is frequently sent across the internet.

Not just unique passwords, also use unique email addresses (eg register your own domain and use an address which includes the site name), that way you will be able to tell if a company has a breach which results in your email address being leaked to third parties, or if they sell your address intentionally.

And a lack of easily available and valid business contact information is actually illegal in many countries...

There really isn't much else you can do, publicise the bad companies so that those who do care can avoid them. Only if they start losing business will any company even consider doing anything about it.

London has the same problem... Old infrastructure, nowhere to locate street cabinets and very difficult to get permission to do any work in the street coupled with relatively few residential customers. Central London is mostly business users, and given the rates these businesses pay for their offices they can afford to have dedicated fibre lines installed.

Two factor authentication only provides any level of protection against a specific type of attack (ie guessed/harvested user accounts), and even then is often not infallible.

In a typical organisation the normal user facing clients (eg desktop machines) may require two factor, but the underlying network protocols are still using the same authentication they always have, so while you can't go in the front door through a local workstation login you can attack other devices at the network level. People frequently consider the fact that there are usually several ways to access the same data.

Exploitation of a security vulnerability also frequently bypasses the authentication system entirely (eg arbitrary code execution via a buffer overflow).

Many two factor systems rely on a third party (eg rsa), so if that party is compromised then you are effectively back to single factor...

The users can flag ads as intrusive...

The hashes you get from LLMNR/NB spoofing are slightly different and need to be hashed, you cant pass them directly although if smb signing is turned off you can mitm the connection...
But yeah, sitting and connection hashes in this way is almost always effective too.

SMB is indeed commonly used outside of broadcast domains, hosts can find each other through dns (or wins etc), and happily communicate across ethernet segments. In many cases most of the servers will be in a different ethernet segment to the workstations etc.

SMB will almost never be filtered internally because it's used for domain logons and file sharing, and users will have a need to access files stored on servers in other parts of the company.

On the other hand, SMB is a terrible protocol... Not only does it allow file sharing, but it can be used for all manner of other things too, so by permitting it for something you need (file sharing) you are opening yourself to all manner of other things you don't need or want.

Doing what you describe is simply not practical for a windows based environment. Sure ideally SMB would be blocked, and a dedicated "file sharing only" protocol would be used, but windows only supports SMB by default.

You're assuming that it spread by trying to guess usernames and passwords, which is highly unlikely.

Chances are it spreads using usernames and password hashes that it already knows. If you compromise a single windows host you can extract the local admin hashes (which are often the same across many hosts because they were all built from a stock image), you can also extract the hashes as well as the plain text password of any currently logged in account including domain accounts, and any account which is saved in the registry for use to start services (i've seen networks where the antivirus is running as a domain admin on every host - ensuring that an admin password is extractable from every single host).

Using this hash passing approach you can almost always spread throughout a network.

As for logging...

Your IPS will probably ignore SMB traffic, because it's extremely common and expected.
The hacker will target the workstations first, they are probably not configured to send their logs back somewhere centrally... Chances are at least one workstation will have a valid domain admin hash available on it at some point. You only start hitting the servers once you have confirmed valid logins, valid SMB logins from internal workstations won't trigger any IPS because they are expected.
Windows logging especially is usually quite shit, it's either far too verbose (the attack gets lost in the noise), or utterly useless... You might be able to detect a flood of invalid login attempts against the domain or directly against core servers, but a competent hacker is highly unlikely to try that.
Otherwise your logs are only really useful "after the fact" to try and determine what went wrong, because by that point you now have time and budget to sit and comb through them. Ofcourse this also only works if your logs are sufficiently detailed, and are still intact. If the system hosting your logs was on the domain, or accessed from workstations which are part of the domain then your logs are effectively worthless, a competent hacker would have deleted or modified them to cover their own actions.

So they're stuck with poorly designed tools (ie windows), that have gaping design flaws that make such attacks easy to perform and hard to detect or stop. You could go to significant effort and expense to make such attacks more difficult, but many companies just won't have the budget for that in terms of the number and quality of staff (competent people are expensive), all the various expensive third party software and all the extra time (or extra staff) required to do things in a more secure but far more time consuming way.
In reality, people cut corners. Even those who should know better, want to save themselves time or have to save themselves time because the company hasn't hired enough people for what they need.

Yes, yes they are...
Most companies have a horrendously insecure internal network, with virtually everything tied to an active directory domain which is laughably easy to compromise. They follow what they believe are best practices by installing patches every month, using strong passwords, setting account lockouts etc, but because of how the system is designed it only takes one weakness to make everything fall down. And then they will probably spend a lot of money buying "security software" that just makes the systems run far slower, while not fixing any of the underlying weaknesses.

Most company networks are like a tardis, they use a network firewall to ensure that only a tiny fraction is visible from the outside, but once you get inside it's much bigger. All it takes is for one minor breach in the firewall by someone semi competent and 99% of companies would be looking at a catastrophic breach. If it hasn't happened to your company yet then it's either a) luck, or b) it has happened but the perpetrators have other motives than publicity

It's common practice to put all of your servers and workstations in an active directory domain, and once you have a tiny foothold on an active directory domain it is almost always trivially easy to get administrative privileges over the whole domain (have been working as a pentester for 10+ years and never failed to get domain admin when the job scope allowed it)...
Once you have domain admin, you typically have access to pretty much everything. Even if the organisation has devices which aren't linked to active directory (typically unix boxes, routers, switches etc), you will probably find that the guys responsible for managing these devices do so from a windows workstation which is part of the domain, so you just find their workstation and start keylogging (or in many cases just find the textfile full of passwords).
Also in my experience, very few companies notice once you take control of their domain, and as a legitimate pentester i'm not trying to cover my tracks. The chances of most organisations noticing someone who is being careful is virtually 0.

China...

Noone ever picked FAT, it's a very poor filesystem and the only reason it ever gets used for anything is because MS won't support anything else unless it's even more proprietary.

Hiding insecure boxes behind firewalls is NOT any kind of solution...
A firewall may stop unsolicited inbound scans but thats about all... You can still be attacked via outbound connections that you initiate (e.g. browsing), removable media you insert, files you download etc or from other boxes on the same network behind the same firewall.

While i agree about blocking intrusive ads, the fact that adblock are demanding money from advertisers really is extortion.
If they were just allowing unintrusive ads by default and not taking money for it they might actually encourage advertisers to clean up their act.