I have a pentesting company that I have been operating for a while. I whole heartedly agree that there are many organizations that are not adhering to "best practices". The other statement being "abysmal state" is probably more accurate based on what I see on a daily basis.
In a recent conversation with a vendor, the sales person stated to me that "well, most companies are probably doing the basics, and this is where we come in, above that level." I replied "I'm going to have to stop you there. Based on what I've seen, you don't realize how low the low hanging fruit really is..."
In all seriousness, my experience has been that "size matters". Really small companies, say <100 employees may not have an IT person, and if they do, it is contractual, and a break-fix service only. There is no time being spent on security. At the other end of the spectrum, really large companies, >100K employees are many times disorganized and disjointed enough that they miss some of the critical "low hanging fruit" but making global exceptions as policy for a specific niche use case. As an example, "We need to ensure TLS 1.2 is in use on all assets. Response: Well, Bob in accounting has this check-pay system that is critical, and it can't use TLS 1.2, so leave TLS 1.0 on. Response: Ok, we can't disable TLS 1.0 anywhere."
Oversimplified and cynical, I know, but the reality is I have seen the conversations go that way when the agenda is more about political power struggle than solving the security issues for the good of the company.
If your organisation really needs next to no downtime, then you may want to examine if automating deletion and recreation of servers from an offline pre-patched image via automation is a useful place to move to. Being able to blow away all suspected compromised server and rebuild them by firing a script, then restoring affected files from backups is a quick way back into service. It does however require a change to a more proactive automated approach, rather than trying to fix up legacy infrastructures.
----------------------------------------------------------- Steve Wilme CISSP-ISSAP, ISSMP MCIIS