A friend passed this report [pdf] into Information Systems Security from the Western Australian Auditor General.

Key findings:

• Fourteen of the 15 agencies we tested failed to detect, prevent or respond to our hostile scans of their Internet sites. These scans identified numerous vulnerabilities that could be exploited to gain access to their internal networks and information.
• We accessed the internal networks of three agencies without detection, using identified vulnerabilities from our scans. We were then in a position to read, change or delete confidential information and manipulate or shut down systems. We did not test the identified vulnerabilities at the other 12 agencies.
• Eight agencies plugged in and activated the USBs we left lying around. The USBs sent information back to us via the Internet. This type of attack can provide ongoing unauthorised access to an agency network and is extremely difficult to detect once it has been established.
• Failure to take a risk-based approach to identifying and managing cyber threats and to meet or implement good practice guidance and standards for computer security has left all 15 agencies vulnerable:
• Twelve of the 15 agencies had not recognised and addressed cyber threats from the Internet or social engineering techniques in their security policies.
• Nine agencies had not carried out risk assessments to determine their potential exposure to external or internal attacks. Without a risk assessment, agencies will not know their exposure levels and potential impacts on their business.
• Seven agencies did not have incident response plans or procedures for managing cyber threats from the Internet and social engineering.
• Nearly all the agencies we examined had recently paid contractors between $9 000 to $75 000 to conduct penetration tests on their infrastructure. Some agencies were doing these tests up to four times a year. In the absence of a broader assessment of vulnerabilities, penetration tests alone are of limited value, as our testing demonstrated. Further, they are giving agencies a false sense of security about their exposure to cyber threats.

Some serious findings indeed, but it's good to see the Government performing thiese kind of assessments and trying to get some traction on remediation of findings.

Whilst reading the report consider how well your organization would have fared in this type of assessment.

I also found the link for the 2010 report [pdf]  for comparison.