Large organizations have to manage high staff mobility and turnover. Access requirements of employees and contractors change rapidly as they are re-assigned from one position to another. When users try to access something that they need to do their job, and get an 'access denied' error message, they call the help desk, figure out what's missing, and get it fixed. In other words, processes for granting new privileges to users may not be friendly or timely, but they are always reliable.
The same cannot be said of privilege deactivation. When was the last time a user in your organization called the security administration desk and asked that an old ID or group membership be removed? In reality, users may forget that they have the old privilege, may not understand the security infrastructure or may simply hoard old privileges "just in case."
The net result of unreliable and/or untimely access termination processes is that users accumulate inappropriate security rights.
I often go into a small to medium organization and find an entire archaeology of former employees and changed current employees subsumed into the system. My favorite is when an employee is signing on to the "Assistant's" account, with the same password and username as the last five holders of that position. In small and medium organizations, a hired gun like me can ask a few questions and clean it up. In a large company, there may not be anyone who knows for certain about required rights and privileges, or even a current master list of users.
I know, you are asking yourself---"How can this be? Is there really any organization that is so careless that there are such gaping holes in their security?"
Well Timmy, here is the sad answer: There are a lot of them. And they have your personal information, lurking right there on their insanely insecure systems, just begging to be accessed by an unauthorized and ethically-challenged user.