In our case, it was the human factor. You're lucky if the post-it with the password doesn't go right on the console. If it doesn't, everyone has the same password that everyone knows.
Staff gets annoyed by the need for a token, but they can't easily replicate it, so they're too worried about explaining how they lost theirs to just leave it around. Add a password that has to be changed and soon enough they run out of combinations so obvious that they could be guessed in three tries, and syncing their passwords is more trouble than doing things right.
On tokens vs tokenless, I'm strongly for tokens. Tokens come dirt cheap in a box from China, they work in buildings with phone jammers, don't get left elsewhere out of fear of damage, there's no battery concerns, and they end up stored alongside physical keys, which people always recognize as items to be protected. And there's something to be said for the personal interaction in handing one.
I don't see how you can separate real security control from the human factor. Security is all about minimizing the vulnerabilities from the human factor. Make it easier to comply with the rules than to work around them and you can get enough security that the system isn't wide open.
Source: Did SCADA.