Phishing, misconfigurations and missing patches are top concerns among security leaders, but they also say their organizations are letting observability tools gather rust.