"And not as smart as they think they are."
After working through some 'improved' 'secure' connection options for enabling credit card processing for a $company, I discovered that the two banks involved didn't know which SSH programs they were using over the wire, then with that answered they couldn't say what versions they were running. Then that they hadn't thought to check for reasons to update, like vulns listed by version. Epochs of vulns given the age of those versions.
They didn't know, they didn't know, they didn't know - reads just like "they didn't care", eh? As bad as the phone companies I'd worked with and swore off. All big companies have soft spots. Start with the heads...