The most common mistake is exposing services publicly without a real need. If a service is not supposed to be public, keep it off the public internet. VPN/Tailscale is enough in many cases.
Second mistake: no patch rhythm. You do not need random daytime updates; you need a quiet maintenance window and a concise morning status summary.
Third: shared passwords and missing 2FA on critical panels. Minimum baseline: unique passwords, secret manager, and MFA.
Fourth: raw logs dumped into chats. Alerts must be human-readable: issue, impact, next action. Otherwise, real signals get buried.
Fifth: no network segmentation. IoT, admin nodes, and public-facing services should live in separate access zones.
Practical checklist: close extra ports, enable update window, test backup restore, remove secrets from chats, audit access scope.