http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/
Here's an interesting writeup on how Target's payment systems were broken into.
On a quick glance, it seems unbelievable, but I bet there are tons of systems like this in place in various companies. Sure, many of them don't probably process payments, or other private information.
Even for us that know better, it's a constant battle. I mean, how many times have we gotten the call from some other department, that they've installed a device or something, and suddenly need an external IP address, or just a network port.