Critical security upgrades for Victorian government databases have been left unpatched for more than six years.
Some passwords on "super-user" accounts are also not required to be changed, leaving them vulnerable to hackers.
A Victorian auditor-general's report into the state government's information and communications technology security found serious flaws.
"Overwhelmingly, a recurring finding is the need to improve ICT security controls," Auditor-General John Doyle said on Wednesday.
He said almost half of the security recommendations from previous years had still not been fixed, and departments were fixing low-risk flaws faster than high-risk ones.
"Agencies need to accelerate the rate at which they are resolving audit findings," Mr Doyle said.
The report found ICT disaster recovery planning is weak, and departments fixed symptoms rather than improving processes.
It also found three critical security patches for a database server had not been applied, despite the oldest one being available from March 2008.
In one system, 79 passwords ranged in age from 98 to 742 days.
The use of Windows 2000 and Windows XP, 14-year-old operating systems no longer supported by Microsoft, was listed as a high-risk problem.
Mr Doyle said outsourcing of government ICT to the private sector had some benefits, but also opened new avenues of security risk.
"The risks associated with such an approach needs to be understood and actively managed," he said.
The report examined 39 departments and government agencies in 2013-14.