I once worked a contract at a public University, and the first thing I noticed was their SSO implementation. You logged into a single page, and then it called the other applications with a GET putting the username and password in the clear in the URL. Facepalm.

I once worked at a company in the Healthcare space that acquired a small company for $10 million. When the deal closed and they showed us the Patient Portal, the first thing I noticed was no HTTPS. At all. Just plain HTTP everywhere.