From web app flaws to a lack of 2FA, Rapid7 found lots of common soft targets in the networks it breached on behalf of clients.