Their argument mostly disproves their claim. I agree that security is much more than eliminating software exploits, but at least 3 of their "top" 5 examples ARE software exploits (because of either a fault in the implementation or in its spec).
1. abuse of weak domain user passwords -- used in 66% of Praetorian pen testers' successful attacks
The software should prevent bad passwords by default, but for the sake of argument I'll grant them that one.
2. broadcast name resolution poisoning (like WPAD) -- 64%
That's a software exploit. If your protocol is vulnerable to poisoning, your protocol has a problem.
3. local admin password attacks (pass-the-hash attacks) -- 61%
Software exploit. Hashes are supposed to *not* be equivalent to the password they were derived from. This is a well-known software exploit.
4. attacks on cleartext passwords in memory (like those using Mimikatz) -- 59%
If an untrusted program can see cleartext passwords in memory, there's a software exploit, they're not supposed to do that.
5. insufficient network segmentation -- 52%
Okay, that's not a software exploit.
So #5 is not a software exploit, #1 is arguably not a software exploit (though it suggests a software problem), and the rest (#2, #3, #4) are software exploits (there's a software vulnerability in the protocol or its implementation). I would agree with them that security is much more than software, but software has an important role to play. The *REASON* that #2, #3, and #4 are problems is because people weren't paying enough attention to security.