Point by point:
#2: Many of the attacks use Zero-day exploits that are not public knowledge.
#4: See #2
#5: If you have more than 1400 servers there will be some that are vulnerable and when that happens they get one door they need. Hopefully it is just some departmental webserver so the scope is small but they almost certainly now have at least the first foothold they need to grab some accounts and move from there if they don't have a Zero-day exploit they can use.
#5 (2nd #5?): What they get is the SAM database which is hashed using NTLM so it is vulnerable to rainbow table attacks.
So for it to work you just need:
1) An exploit not publicly known that allows remote code execution or elevation of privilege. There is at least 2-3 of these a month
2) Compromise a departmental webserver/app server and start working backwards.... Eventually you will get more and more accounts until you get something interesting. At the worst you have mapped a typical server and know your attack surface. Maybe they run Tivoli? So scan specific hosts for Tivoli vulnerabilities but do it slow so it isn't seen by IDS. If they run Symantec AV use the exploit that is out right now to get on a privileged system...
So obviously it isn't as hard as it first seemed and it isn't a matter of incompetence with large companies there are simply too many possible ways in. Your best defense is a layered one with a lot of monitoring of your logs and IDS sensors to watch for things that look unusual. Baseline your traffic so if you see a large upload over https to a server in a weird location you can flag it! It might be your SAM database going out the door...
tl:dr: In a large company there are a lot of ways to get in, if you think you are safe you are lying to yourself.