I think we've probably all seen mistakes being made by people who should know better in the industry but servers must still be a much harder target than, for example, my dad, who somehow gets his browser hijacked by a different malicious extension a couple of times a year.

It's been probably 20 years since I've seen passwords stored as plain text at any company I've dealt with, which is some progress at least!