When it comes to what security companies do one of our major concerns is they tell people that need to take all sorts of advanced security measures while some many people are still failing to do the basics. Our main concern for that for some time was that people would feel overwhelmed and instead making sure they are doing the basics, they wouldn’t do anything. What we have seen more of recently is that people will do more advanced things instead of the basics, which can produce bad results, as was the case with one of security company Trend Micro’s websites getting hacked due to them failing to do one of the basics and relying on more an advanced measure that failed (even after they got hacked they didn’t take the more basic step).
Another example we ran across recently involved someone reporting that when trying to install plugin for checking for vulnerable WordPress plugins there was fatal error. The error was caused by the plugin trying to use a function that was introduced in WordPress 3.4, which was released nearly 5 years ago. That doesn’t seem like it should be a problem, but was in that case because the website they were trying to install it on was still running WordPress 3.2.1.