The overwhelming (99%+) primary causes of all security breaches are rooted in managerial lapses. Technology incidents then just follow.
Errors of omission can be always listed in the encyclopedia of security malfeasance, but are not the only cause.
Internet is now at least as complex as the human blood, nerve and lymph systems - the exception being that an MD approaches a sick human with some degree of knowledge and that diseases - once diagnosed - are largely deterministic. In contrast, Internet maladies can assume many different forms because they can adapt as millions (even billions) of countermeasures are neutralized.
There may be ten thousands of configuration errors dues to omission or there may be software bugs that have not been fixed due to neglect. However, CIOs deliver what top management expects, which are applications delivered on time and on budget. Top management has hardly ever demanded secure systems.
Blaming CIOs for insecurity does not recognize that the fundamental flaws are managerial, from top down.
1. "More than 78 per cent of all PHP installations are running with at least one known security vulnerability..." (http://www.theregister.co.uk/2014/12/31/want_to_have_your_server_pwned_easy_run_php/) - December 31, 2014
2. "...as of January 2013, PHP was installed on more than 240 million websites..." (http://en.wikipedia.org/wiki/PHP).
3. Even though PHP is buggy, so are all other commonly used programming platforms:
FOR LINE IMAGE SEE BELOW
Asking CIOs to fix all configuration errors is not feasible. Top management should demand delivery of secure systems and for CIOs to prove that they deliver that. That will require changing expectations and budgets.
Rules are altered by top management, not by CIOs.