Lenny Zeltser from dshield has posted an amusing list of ways to suck at information security broken up
in the following categories.

- Security Policy and Compliance
- Security Tools
- Risk Management
- Security Practices
- Password Management

Here's a snippet

"Security Tools

• Deploy a security product out of the box without tuning it.
• Tune the IDS to be too noisy, or too quiet.
• Buy security products without considering the maintenance and implementation costs.
• Rely on anti-virus and firewall products without having additional controls.
• Run regular vulnerability scans, but don’t follow through on the results."

Read the list: http://isc.sans.org/diary.html?storyid=5644