I once had a sysadmin (!) that said to me, "We're running SSL so aren't we secure?" I went on to explain things like SQL injection and XSS. I mentioned how simple authorization bugs can ruin your security. I think he got the picture... I hope.