At the risk of spreading FUD.
Another Security professional realized what we have been trying to say for a while.
The good news is that there are a lot of controls that a good IT/IS security guy wouldn't know of. If there wasn't then you have no idea how much chaos we would already have.
The bad news. What he saw was pretty typical and not unusual. (I know redundant)
Welcome to our world.
Sorry that sounded a bit snarky. There are SCADA security groups that are doing good and arev well informed. The problem is that in general the level and numbers of both good and bad items in the SCADA world can be compared with the state of info security in the standard IT world in about 2000. I discuss this briefly in my myths facts and goals post but it should get more attention.