For example, you should run vulnerability scans on your infrastructure, but don't. Perhaps your company doesn't have vulnerability disclosure policy, but should.<p>Why not?
I no longer work at the company, but I used to work at a startup doing IoT devices. Our cloud server didn't stay up to date with security vunerabilities as we should have. Basically letting Mysql get behind in versions. There was also the issue of SSL being forgone in the name of time saving since I was the only one working on infrastructure. The development platform we were using broke on older versions with SSL enabled, so it was thrown into the wind before I had the time to deal with it.<p>This was due to being inexperienced with the work, too many duties, and a time line that didn't give me the time that I needed to fully understand some topics.<p>TLDR;
-Security vulnerabilities from version updates
-SSL on some platforms
-Not having a dedicated / experienced individual on staff for dev ops in general
> Why not?<p>From a sysadmin/devops PoV boils down to <i>flexibility</i>. Security comes at the expense of flexibility and flexibility is more important for the survival and well-being of many/most IT companies and its especially crucial to startups.