> Why not?
From a sysadmin/devops PoV boils down to flexibility. Security comes at the expense of flexibility and flexibility is more important for the survival and well-being of many/most IT companies and its especially crucial to startups.
Absolutely. I think many companies don't have DDoS protection on their online infrastructure.
Patching, changing admin and default passwords, periodically changing passwords are all practices that fall behind.
With the rise of IoT and more and more devices that can be infected with malware, these connected devices get ignored. We protect our PC and maybe our mobile phones, but what about our IP-connected cameras and office phones. You can use the Mirai scanner to see what devices are vulnerable: https://www.incapsula.com/mirai-scanner/
I no longer work at the company, but I used to work at a startup doing IoT devices. Our cloud server didn't stay up to date with security vunerabilities as we should have. Basically letting Mysql get behind in versions. There was also the issue of SSL being forgone in the name of time saving since I was the only one working on infrastructure. The development platform we were using broke on older versions with SSL enabled, so it was thrown into the wind before I had the time to deal with it.
This was due to being inexperienced with the work, too many duties, and a time line that didn't give me the time that I needed to fully understand some topics.
TLDR; -Security vulnerabilities from version updates -SSL on some platforms -Not having a dedicated / experienced individual on staff for dev ops in general