Unfortunately given the small size of a lot of companies these suggestions are just impractical. What we need is software and hardware that takes care of this for us. SQL Server, Windows, Firewalls, etc should have intelligent default configurations that are secure by default.

IT workers at small businesses often wear multiple hats and as such can't humanly be expected to master the intricacies of of every specific discipline such as firewall administration when they only deal with this area once a month at most.