The thing with social hacks, and a lot of things that script kiddies/hackers/maladjusted people do is… well, the “hackers” think of themselves as great for accomplishing this great feat of breaking into someone’s property or outwitting them. It’s like a kid jumping over a picket fence into someone’s garden, and making a big deal because they broke through the guy’s defenses. What they don’t realise is that the guy with the picket fence has better things to do than mess up his front yard building impenetrable defenses, just to protect against the slight chance that you might mess up their grass. The average person just doesn’t care about security, the way IT pros do. And in most cases, that’s a fairly sane way to prioritise. This is only a problem in two ways:
* banks, e-commerce, and a few other kinds of site with sensitive data have a responsibility to protect confidential information. In this case, the site operators need to step up their game, but they usually know that.
* insignificant servers can be used to launch attacks on sites/systems that matter. But that’s more of a problem for it pros, not the insignificant sites.