They hide behind lawyers and don't use complex passwords for admin accounts. Nor do they do security updates in a timely fashion. If one admin runs an attachment in email that exploits the system, they got a trojan back door into the server and can do whatever Admin does.
