I've audited enough crappy systems to say with some faith that there are VERY few systems out there that would stand their ground against an at least halfway organized assault.
And I'm not really disclosing anything that is under tight NDA or similar bull. Anyone who has an inkling of a clue about IT security will come to that conclusion by the hacks that get public alone. Take the Anonymous/LulzSec (or whatever that was called) hacks of some time ago. Now, I don't want to belittle their effort, but when you look at how high profile the targets were and what simple tricks were involved, you can't help but wonder.
I can't think of a single published attack vector they used that was not part of the OWASP Top 10, which is pretty much the baseline for IT security. That's essentially the very least of what you have to have "down" when you're at least remotely concerned about the security of your IT assets. We're talking about the equivalent of having your door locked at night or closing your windows. Very basic stuff that makes you wonder just why it was possible for them to overcome.
You stop wondering when you spend a bit of time in the corporate IT security business. The problem boils down to a single factor: money. And that's where security really has a problem: It costs a ton of money, but makes none. Every cent spent on security is gone with no chance to ever see it again. And you spend a lot of cents on it because not only the people who can do it sensibly are quite expensive, but because security is also usually anathema to productivity. Of all the companies I know, only in a single one security trumps productivity and availability in cases where they are mutually exclusive (and they are usually numerous). One. Out of hundreds.
IT security is much like an insurance. And just like with many "unnecessary" insurances, companies have it mostly due to either legal or contractual requirements. And just as with insurances, they will "waste" only the bare minimum of resources on it, just enough to abide to contract or law.
I think it goes without explanation just why such a Potemkin village of security straw huts won't stand a breeze, let alone some dedicated storm.