The article and posts above explain more eloquently than I ever could why I gave up being a sysadmin.
But working on bids I came across a potential client for an outsourcing of their ICT, and I can only say that I doubt they would have let us do the job properly. Their security manual (all of it) was on a server in their internet facing DMZ, even though it was marked 'sensitive', and the rules said no sensitive information was allowed in the DMZ, their head of secureity insisted it was ok beacuse the server was partitioned and they had had it tested once and the tester couldn't get access to the partition.
They admitted to, on average, two level 1 incidents a week (yes, that is two incidents which prevented most of their staff from doing their jobs, with no work around, every week).
I could only hope that their staff subverted and ignored the security instructions so as to do their work securely.
I advised my bid team to walk away from that one, but we bid anyway, and lost. The 'winners' walked out after a couple of months.
On other clients, it is essential to remember that the Director with responsibility for IT has a day job, and his (usually his, rarely her) prime objective with the IT budget is to minimise it, and not let anyone turn anything off for even half an hour. After all his/her Rolls only needs servicing once a year, so why should IT need anything more? IT exists to replace director's lost laptops, not to whinge about upgrading the Windows boxes (whatever they are, do they put flowers in them?). The quality of the tea served in the boardroom is far more important than that.