This is from Sourcemedia's Financial IT Security Intelligencer:
During a year's worth of bank and credit union security audits, audit firm Redspin found that 30 percent of firewall configurations evaluated violated the institution's own security policy. Not surprisingly, Redspin offers a tool that can detect and remedy these inadvertent holes. The company pins the industry-wide problem on the fact that most IT administrators have wide-ranging responsibilities rather than network engineering focus. To highlight the issue, the vendor is offering free use of an online version of its analysis tool for the next 90 days, available at www.redspin.com/tools
Here's redspin's PR. I don't have any way to verify this report, but it's also about what I would expect. Administrators are too busy cleaning the CEO's laptop of its latest viruses to be ensuring their firewalls work.