One of the truisms of security is that a chain is only a strong as its weakest link. Just over a week ago I presented a session at TechEd New Zealand titled "20 things you can do right now to secure your Windows Client and Server infrastructure."
The session covers things that are fairly straight forward. Even though the steps are straight forward, many organizations don't get around to implimenting them, either due to institutional issues or the steps being considered "too obvious". That is to say that sometimes it is easier to get an organization to adopt complex security procedures rather than simple ones as people assume that the more complex a security solution is, the more effective it is.
When you come back to the idea that a chain is as strong as its weakest link, you start to realize that before you start worrying about the complicated parts of IT security, you should really ensure that the simple parts are taken care of first.