Hi Lars,
it is also my experience that security is generally a very low priority in SAP implementation projects. This is exactly the reason why I like your blog that showed and explained some very basic mistakes.
As an example take the systems that expose WebUI over HTTP. I would expect this happens due to the following reasons. Some functional consultant or developer needs to solve a problem in a project. To solve this problem some SICF service need to be activated. Without an understanding of the possible security risks these services are activated without some expert in the security area involved. This results in the the problematic situation you have described (WebUI or other service being exposed over HTTP). It's also clear to me, that some additional errors need to happen (e.g. firewall configuration etc.) for the system being exposed on the internet.
The point I'm trying to make is that more consultants and developers should be aware of the security implications of some of their actions. This would IMHO help to significantly improve. The more people are aware of the risks, the higher the probability is that someone thinks twice before performing a critical action. I don't think security can be achieved by just pointing at security consultants and/or auditors. These guys are just a part of the whole puzzle.
In summary, this is what I liked about your blog post and why I think it is a pity it is gone. It was a nice introduction for the non-experts in the security area.
Christian