Based on experience, people think adversaries (they call them hackers) always find vulnerabilities (on networks, applications, protocols, etc) and write or use exploits in order to have access to their targets.
While up to some extent this might be true, a lot attackers use other techniques to gain that initial way in. Social engineering is a great way to convince someone to download and open a *weaponized* document or binary file and have him or her infected with a piece of malware that will allow the attacker to remote access the system.
Social engineering doen't necessarily means calling or emailing the target. Sometimes sending a bunch of *product samples* might do the trick. For example, sending cheap USB flash drives or leaving them at the reception of your target can do wonderful things. Have the USB point to a malicious binary that will be automatically run when inserted on a computer or have a seemingly harmless PDF file called something along the lines of "Get more free samples.pdf" outfitted with some malware and you now have access to the system, remotely.