My first (that I know of!) sysadmin security failure was a socks proxy that I installed for windows gaming. D2? Mea culpa. This is so long ago that the default configuration for the package was for it to be wide open. I mentioned to the package managers that this was irresponsible of them (though it was clearly my fault). They balked and said I installed it so it was my fault. I think I went one more round with them, agreeing – and yet, they could be safer by default.
I wonder how long it took before they finally shipped a secure[ish] by default package.