The power of defaults. The few successful Internet security "best practice" changes have primarily resulted from changes to default settings, not trying to get ISPs, operators, sysadmins or users to change. Smurf attacks - change default directed-broadcast settings in dominant router vendors Open SMTP relays - changed default SMTP server settings in dominant SMTP software sources/vendors Windows network-level worms - changed default Windows XP/SP2 firewall settings to closed inbound Although it may take 10+ years for a product replacement cycle (Windows XP is taking a longer), the same laziness/money/ignorance reasons why its nearly impossible to get people to implement "best practices" is why a change to the default settings is so effective. The few times the new default doesn't work, the operator then has an incentive to change it. The times the default doesn't impact the operator, there is no incentive to change it. Expecting an average person (ISP, sysadmin, programmer, etc) to discover and understand many obscure configuration options which don't directly impact what they want to do isn't realistic. People tend to not pro-actively look for problems until it causes them a problem. Even worse, systems tend to revert back to defaults when a mistake or change to unrelated parts of the system are made without the user/operator realizing it. The "experts" are the people who created the open source software or vendors creating the product, not the users/customers. SSH is a rare example where operators pro-actively sought and changed their behaivor; but even then, there were probably more operators that went with the default.