What actually constitutes a "security problem" depends on the threat model. I will be arguing from the perspective of a medium-to-large company in an unspecified line of business.
I will mostly be arguing that a "security problem" is something that leaks business-sensitive data, personal data or data that may cause disruptions to the company's day-to-day work. We'll also class anything that aids (sufficiently) in compromising physical security or information security as a "security problem".
Any building that does a fire alarm test in the "obvious" way (namely, alert your alarm centre that you will be doing a test and then set the fire alarm off) are causing a security problem. During a fire alarm, most building codes require that electronically locked doors default to an unlocked state. If it's known that a building will be testing the fire alarm at (say) 3 PM, first Monday of every month, the opportunity to unrestricted access to otherwise-blocked parts of the building is open.
Finding a time when fire alarm tests are done isn't that difficult, it can be done with (sufficiently frequent) phone calls. I have yet to meet a building fire alarm that isn't audible via a phone conversation (they're loud and obvious). From that to finding out that it's a regular occurrence is but a "But there's a fire alarm, shouldn't you head out?" away.
This is a problem, both for access control and for audit purposes. An unlocked door doesn't stop people from entering (or exiting) an area. Similarly, there is no logging of who have passed through (or, indeed, if anyone has passed through.
If you've ever walked through a data centre, you have probably seen data flooring. It looks like a normal floor and therein lies the problem. If (as some data centres do) you want to restrict the access to one or more racks, you can build a cage around the racks. ideally a cage coupled with some form of access control, be it a physical lock or some sort of pass-card system.
What is less obvious, at first sight (and, thus, easy to over-look), is that data flooring is raised and usually has a void underneath that is high enough to crawl through. Inspection of a few data centres with cages have shown that it's quite common for the cage to not extend under the floor, leaving a nice crawlspace for access (or bypassing access audit logs).
Any "I am not in until insert date" e-mails may be a security problem. More noticeably so in a company that is large enough that you wouldn't expect to recognise the voice of everyone in the company on the phone.
By providing a handy notification that someone is out of the office (travelling on business, on annual leave or similar), the company is suddenly slightly more vulnerable to social engineering.
If we know that Joe Bloggs is on annual holiday or a business trip, we can call the switchboard and say "Hello, this is Joe, could you patch me through to the IT help-desk?" and once connected say "Hello, Joe here. As you know, I'm travelling, but I find myself in DESPERATE need to check my e-mail. Nopes, not home, can't VPN myself in. We have a web mail access, don't we? Excellent, could you just give me the details. No, my cell phone is out of charge, but you can reach me on insert phone number here." and then (if we're lucky) proceed to harvest interesting stuff from Joe's mailbox.
Like most everyone else in the world, I've had at least one e-mail address faked as sender by one or more spam-gangs. This has provided a plethora of information I didn't even want in the first place. The more obvious problem we've just dealt with. A slightly less obvious problem is the "Person Personsdaughter has left the company, that job function is now performed by Another Personsson".
While nothing obviously sensitive has (yet) been leaked, we now have another venue of attack for social engineering. Hopefully a valid, fresh venue, at that.
Helpful receptionists is both a great boon and a security problem. In the best of worlds, they won't mention who they're trying instead, that X is off to Tenerife for a month or that Y is, in fact, on a business trip, while still managing to get you connected to someone you can talk to.
In a less ideal world, they let slip DDIs, extensions, holidays, names (maybe even names of people with sensitive jobs, like abuse desks at ISPs) and other information that might cause a security problem down the line.
In the same vein as auto-responders are helpful to determine who is and isn't in the office, having a voice mail greeting that says "Person Personsdaughter is on annual leave, back in 6 weeks" is equally as (potentially more) helpful as an e-mail saying the same thing.
It's potentially more helpful, since it does give you a good chance at listening to accent and tone of the person, possibly assisting in impersonating them on the phone.
This is a method frequently used on voice-mail systems, to lessen the chances of exhaustive password/PIN guessing.
A previous version of this essay is available. The differences between that version and this is the section on password lock-out. Thanks to the following people for comments:
This is one of Ingvar's essays