A major issue in many environments is the presence of outdated software. A perfect example was just posted by ZombieTango
It’s all too common to find a server running some old product that is used for some minor purpose in the company that is no longer supported by the vendor. Keeping software up to date is a big step towards preventing attacks. If the software cannot be updated, it’s a huge liability.
Any problem found in any version of any program is likely to have an exploit already written for it. That exploit might even have a Metasploit module already (as ZombieTango wrote for his own discovery).
Pay close attention to any outdated software you might have. If it can’t be removed or patched, at least try to isolate the software and server from having any impact.