More cynical I would have said, but unfortunately true.

There are numerous organisations that accept malware infections as a matter of course. So long as it does not affect their operations dramatically or drop them into regulatory compliance difficulties. They tacitly allow employees to surf the net, run P2P applications, visit their social networking sites and access their private e-mail accounts.

So is he saying the old conventional way of each PC having its own admin password is the best security, so if one PC is infected the rest are safe until they are cracked?
I don't think so. In those environments there was always a super administrator account. Pretty much the same as compromising the network administrator and central updating mechanism.

There is also bad stuff that crawls over the network with "system" rights?

Part of the issue might be that the nature of malware has changed? These days it is very commercial, criminal and stealthy. If we were still in the days of viruses with malicious payloads and worms that choked your bandwidth bringing whole businesses to a halt, then I think that management attitudes would be rather different.

Another thought is that the way we use computers has changed. We now have thin clients, network applications and web-based applications as commonplace. Basically the more you communicate and the more ways in which you do so, the more doors you leave open.

When I repair or upgrade a machine I routinely scan it for malware, and it is amazing the amount of stuff that I find that the owner just isn't aware of because it doesn't have any noticeable effect on their computer usage........... other than maybe it running a bit slower?