Competent system administration, service pack management, e-mail security measures, effective firewall administration, and strictly enforced limitations on what an employee can access via the internet can substantially reduce the impact of even the most serious application related exploits. The majority of malware today uses social engineering as it's attack vector but there are ways to prevent this in any company willing to invest in employee training and creating specific guidelines that even the most computer illiterate employee can understand. Most employees do not need unrestricted access to the Internet to do their jobs. Even companies using outgoing/incoming keyword blocking, black lists, white lists, and domain blocking at the firewall level are often to liberal and never updated fast enough to keep up with the fast paced and ever changing threat environment. If a particular internet site or service is needed by the employees those sites can be evaluated by a knowledgeable IT security professional to determine the risk of allowing employee access.
Stuxnext actually required someone to infiltrate (most likely an Iranian asset being paid by the US or Israel) the physical plant to insert a thumb drive to infect the Iranian nuclear centrifuge laboratory network. Not to mention physically breaking in to 2 companies in adjacent office parks located in Japan to steal the security certificates that were used in in conjunction with a Windows 0-day exploit to unleash Stuxnext. That is an extreme example but allowing employees to plug in their own USB or other external devices into corporate network is stupidity of the highest order since that would allow any malware or viruses to completely bypass any of the border security measures. And a big part of proper system administration is putting any internally developed applications under a microscope before pushing them into a production environment geared for public use. Developers are notorious for thinking the application standards and security practices do not apply to them since they think know what they are doing. Application development managers are notorious for cutting corners after incorrectly planning and managing internal development projects. Most of the operating systems today are about as secure as they can be and still be able to actually run applications. Especially legacy applications that would not work under a new security paradigm because even the most aggressive sand boxing schemes have exploitable weaknesses. If a company does require the use of the internet communication infrastructure they should require, without exception, that only VPN connections be used. Network access and activity logs should be scrutinized by configurable automated utilities to raise warning flags as soon as possible if suspicious traffic or activities are detected. But even all these common sense precautions will not stop a determined and well funded organization from attempting to exploit your systems. However it does make it harder and a lot more expensive to attempt. It also makes the exploit attempts more noticeable. The various international security agencies can place human assets inside any company they want to facilitate their activities and that tactic is almost impossible to counter since all national security services of note can manufacture identification documents and employee backgrounds that will hold up under any scrutiny a company or government may employ during the hiring process. You can bet that every major internet company such as Google, Facebook, Twitter, MS, Yahoo, Cisco, Intel, Mozilla, Apple, Nokia, Verizon, AT&T, Sprint, Samsung, and all the other similar companies have intelligence agents from various nations embedded in their staffs. It's the easiest and cheapest way to guarantee access to whatever they want. Outside of real time signal intelligence monitoring operations in areas of immediate interest around the world placing human assets on the inside of these companies is the easiest, cheapest, and most effective means of bypassing security precautions and gathering all the information they want.