There was a SEV review meeting once upon a time, and in it, we had reviewed some incident where something bad happened involving something that ran as root. I don't remember the finer points of that one any more, but the resident VP who ran the show wondered aloud how much "root exposure" we had in our infra in general. That got my attention.
I decided to try to get an answer to it. While in the meeting, I hit up my little dataset of everything running on any machine in production, then narrowed it down to anything running as root (that is, uid 0), and also with some (TCP) network listening ports. I figured those would be the easiest to "pop". Think "SELECT ... FROM ... WHERE uid = 0 AND ports IS NOT NULL" type of thing.
After the meeting ended without using the whole 90 minutes, the room was still reserved for another 15-20 minutes or so, and a couple of people hung out to look at the list. One noticed that this one service running everywhere had these options for "pre" and "post" commands. This was a service which was normally used for performance measurement stuff and involved running an external command. You'd say "okay, analyze this thing for me", and it'd crank for a bit and kick back a bunch of data points on whatever you had targeted. That much was fine, but unfortunately you could specify arbitrary commands to run before or after the request.
One of the people there came up with a test and built a command that should run "touch /tmp/(their name)-was-here". Then they fired it off, and another person looked, and sure enough, the file had appeared in /tmp, owned by root. (I should note that this person didn't have any magic permissions for that service, lest you think that's what happened here.)