#1 – default install while attached to the network – you can lose the system before entering a password for the SA.
#2 – The multiple applications that install MSDE without a password on SA or don’t require that step during install.
(Two parties at fault – the app maker for not telling you and helping make it secure. And the user for not knowing what the application is installing, especially on a production machine.)
#3 – Applications with a default user & default password. Some apps give security control to this ‘superuser’. With SQL set to be a transparent service, a hacker with user/password can troll for your server using odbc connections.