Based on experience, people think adversaries (they call them hackers) always find vulnerabilities (on networks, applications, protocols, etc) and write or use exploits in order to have access to their targets.
While up to some extent this might be true, a lot attackers use other techniques to gain that initial way in. Social engineering is a great way to convince someone to download and open a weaponized document or binary file and have him or her infected with a piece of malware that will allow the attacker to remote access the system.
Social engineering doen't necessarily means calling or emailing the target. Sometimes sending a bunch of product samples might do the trick. For example, sending cheap USB flash drives or leaving them at the reception of your target can do wonderful things. Have the USB point to a malicious binary that will be automatically run when inserted on a computer or have a seemingly harmless PDF file called something along the lines of "Get more free samples.pdf" outfitted with some malware and you now have access to the system, remotely.
However IT and security departments are getting smarter and they are pushing out group policies that disable the autorun feature in their systems. They are also scanning document files (Office documents, PDF documents) and images (GIF and JPG) for malicious code embedded there.
It doesn't really matter though. Instead of having a USB thumb drive you can now use tiny flash cards and embed them on the USB plugs from mice, keyboards, cameras and other devices. You can outfit them with keyboard loggers, autoruns that will execute a piece of malicious software and even a voice activated digital recorder (I've used those to record and extract conversations on a conference room, having access to confidential material that otherwise I wouldn't have had).
The initial way in is important. Today, malicious users have an arsenal of techniques, software and hardware that allows them to achieve this in ways could make 007 jealous.
Of course we, as red teamers, can use the same techniques and technology for our ops. It's always fun to see what works and what doesn't.
