Mr. Picard, we see both extremes. Last week, for example, the personal information of 500 million customers of the biggest bank in India were exposed to the general public because the server that contained that information was not secure and had no password. A system within that megabank's network was vulnerable, plain and simple. It was a basic error; personally, I would call it a rookie mistake.
Today, Canadian financial institutions use the best equipment they can find. They have sufficient resources to afford it. The fact remains that these are commercial products, available to any company in the world and with the same kinds of vulnerabilities. So they need teams that are able to conduct checks and more checks, over and over again, in a constant cycle, in order to determine whether the system is still solid and valid. Most SMEs have systems installed for them; they say they have a firewall, they believe they are protected and they stop worrying. Unfortunately, some of that equipment is vulnerable. So the checking must be constant.