Outsourcing helps... the hackers
What about companies that outsource various non-core activities to third party suppliers? They invariably cut costs by doing everything online over the public internet. There's no chance of single-sign-on or public/private keys for authentication, just plain username and password. As there's a different third party site for each outsourced function, people will just reuse the same username/password combination for them all.
It doesn't matter if your IT security policies are watertight if you effectively give your entire password file to some tin pot site management company because it's deemed too expensive to create a secured extranet connection to report blown lightbulb.