When your car doesn’t start, that is a usually a huge problem, since the fact that you are trying to start your car implies you need to use it. Same goes with the furnace. It may not work all summer, but if it is out in December you are not going to be happy (or warm).
What’s interesting about Active Directory is that it has been running for almost two decades. Sure it’s been built and re-built; policies have been deployed, groups have been created, permissions have been changed, users have been added, but chances are it hasn’t been “Serviced” in a long time.
Most Active Directories have never been reviewed and culled for old users, old policies, or old groups. Many have never validated current roles with privileges given in Active Directory. Since hackers use AD as their primary tool once they’ve breached an environment, it would make sense to have AD as secure as possible.