I went to a computer security seminar not too long ago, where they listed the most recent big "data thefts" - and in all but 1 case, it was a security issue with just someone "walking out" with the data - no one actually "breaking in" and stealing the data.

(point being that the physical security / access logs of employees looking at data should be as important as outside-world access security)