Just recently, as I was speaking at SQLBits, I spoke to a DBA who said that about 5-6 years ago he went to work for a bank that had over 1000 SQL Server instances. He said the first thing he did was to review SA security, he was dismayed to find that about 500 of the instances had no SA password, or a very weak SA password, and that many of the bank's applications had the SA and blank password coded into their applications. He said he had to fight management to get this changed, as they didn't want to spend the money to modify the hard-coded applications to use a more secure password or to use Windows authentication. Unbelievable.