While kind of light on depth, this article does bring up some good points. My commentary on some of these:
#3 - External consultants know more about information security then in-house personnel
This is a good one, people think they need to bring in a security company to do a couple of "pen-tests", present a thick report on how bad security is and walk away. That is not security. I'm not saying don't use external consultants at all, they definitely have their place and Microsoft uses them extensively as well, but the outside security consultant is a tool just like any other tool in the Information Security Practitioner's drawer, it can be used appropriately and wisely, or not. More often then not people spend a lot of money and get a false sense of security because they are leveraging these consultants incorrectly.
#4 - Info Sec must be a separate org to be effective
I don't think particularly that this is a myth out there people believe one way or the other? A good security organization is an important part of any large organization today but there are different approaches to security and, to a certain extent, of course security is the responsibility of all employees.
#5 - Complex Passwords make things more secure
Passwords suck. That's why Microsoft is planning on getting rid of all user passwords in 2007. I think other organizations are coming around to this as well.
#6 - Because SSL is turned on, the site is secure and so is my data
This is a personal pet peeve of mine. Sites will say they are very secure and if you click on the "more info" button, more often then not, they'll explain they're more secure because their web pages are served over SSL! What a crock. Sure SSL mitigates a specific type of threat (the man-in-the-middle attack or sniffing) but of course it doesn't do anything else like what happens after the webserver? What happens to the data in the database? What kind of ACL policy is there? What are the data transfer policies inside the corporate network? Is the data left in a flat file on a share that all authenticated users have access to?? SSL in and of itself is not everything, its just another layer.