This article has a lot of merit, but does miss some things as well.
First: any security device be it physical or logical is a tool, not a solution. Left to its own devices without monitoring, upgrading and replacing on schedule, will become an injection point for a malicious hacker. There are many other points, but you should know these along with proper defense in-depth, to include internal network security lockdown methods; such as proper VLAN creation/enforcement.
Second: system admins are the most dangerous users on a network. Most are not properly trained, don't have a 4 year degree in systems/computers, are overworked, are understaffed, and therefore try to get through things as quick as possible. They don't have security in mind, and rarely follow installation instructions as prescribed by engineers. Many will use their accesses to get around policies, procedures etc. Finally, most SAs use email with an account with admin privileges.
Third: Management is ignorant.Proper policies and procedures for security are often ignored or worse... don't have proper security engineers trained to do a complete and skillful risk assessment of the policies and procedures... let alone network tools.
As an experienced red team member for nearly 30 years, I typically take these 3 things into account when attempting to breach network systems. It's not just people, but the policies and procedures along with improper risk assessment/mitigations which provides attacking points.
How many system items can any organization within a company order without knowledge of security personnel? A LOT. Not just USB sticks, but keyboards, KVMs, mice, adapters, etc.
How many people touch a newly ordered router before it gets to network engineers, and are there procedures to ensure nothing was tampered with along the way? It doesn't take a genius to get into the supply chain of IT equipment and add malicious technology into the stream.
Yes of course, as security people you get the obvious; however, malicious hackers don't often work the obvious. You also don't hear about many breaches, such as supply chain tampering... because this type of breach is usually not handled by local authorities. Also, don't believe each and every report you hear about. Just because an particular attack method is publicized, doesn't mean it this is actually what happened.
Don't just read a book about security, you need to be critical thinkers and work outside the box. Follow your instincts and experience. Take the time to do it right.