We had a great example of an AD SPOF (single point of failure) recently. A vbscript had been written by someone with no malicious intent to (for some reason) hook into AD and check service accounts. What this script ended up doing though was locking out said service accounts. Within the span of 30 minutes we were well on our way to locking out 400+ service accounts in the enterprise, irrespective of environment. This took production out of commission.
Seems like a bit of a hole to me.