"To make it better, CIOs and IT admins need to rethink the way that they approach protecting their networks from hackers and other miscreants."
I think companies should hire better qualified personal and if they actually have those on the payroll also start listening to them.
The main problem in many big companies ("Enterprises") are the sometimes endless layers of managers. In certain cases the management layer has actually grown into an entity of its own. With that I'm referring to Enterprise environments who would hire managers solely based on management skills even though the person in question either completely lacks any in-depth understanding of his department or simply doesn't have enough understanding to fully understand what his team is telling him.
Such a person will more than often make decisions which make him look good. Or put differently: decisions which are most likely not to cause any members of the layer above him to become displeased (or worse) with him (put differently: his department). Even though, especially when talking ICT, sometimes such decisions have to be taken.
"We need to upgrade the firewall today, there have been some flaws found in the operating system so we need to upgrade the kernel. It will require a reboot, so the website(s) will be down for a short moment".
"Ok, but we have a big project coming up this week. Can you guarantee that the website won't be down for more than 5 minutes? No? Then I think we should postpone the upgrade to next week, then it's a much better time. Especially because we won't get as much visitors to the website as we will have this week".
And what do you know; the admin who suggested the upgrade simply couldn't explain well enough that we were talking about a zero-day exploit which could allow 3rd parties to gain access to the server. The manager didn't understand enough from his department to inform about the risks involved, so that he could weigh the risk of a longer downtime to the risk of not upgrading the OS then and there.
The result? Well; you'll be the judge of that. Depending on the flaw and the increase in traffic they could obviously also attract people who might try to exploit said flaw. Or not...
Even so; in my opinion it's issues like these which are the real culprit. The reason I'm pointing to enterprise (-like) environments should be obvious: in many cases when we're talking about break ins and such these are usually involved.
Heck; this could even go as far as an enterprise(-like) environment which provides (hosting) services for smaller companies. In my case there are some very strict rules to follow, which was one of the reason's I started hosting with my current provider: if they detect that you run your own DNS server and it can do recursive lookups for everyone they preserve the right to block said server. If they detect that you run your own MTA and it provides an open proxy then the same rules apply.
How many hosting companies (once again: talking about Enterprise (-like) environments) will simply let it go because they don't consider it their problem ("the customer is responsible for his own server")? Even though enforcing such rules could prevent a lot of Internet "casualties"...