A variation on the 'passwords in files' exposure is the activity which genuinely requires use of a powerful ID but logs the connection details, including the password, in plain text.
I once worked for a company which used a product from a very well known database vendor (not MS and SQL Server). The procedure for applying patches from the vendor went: log in as super-user, change super user password to a temporary value, log out, run patching process (which logs everything in plain text), change super user password to a strong secret value. Followed unofficially by "wonder how a vendor of such prominence can continue to get away with such practices despite having the folly pointed out to them repeatedly".