On average, the local McDonald’s has better cybersecurity than the typical federal office.

In its latest report on federal and state cybersecurity, SecurityScorecard put government at the No. 16 slot among 18 industries rated, above only telecommunications and education. This was a step up for government, which last finished at the bottom in overall cyber hygiene.

Researchers looked at current security postures of 552 federal, state and local government entities, each with more than 100 public-facing IP addresses. They rated the agencies based on security risks in 10 categories, including web applications, network security, leaked credentials and hacker chatter – how fast news of vulnerabilities spreads on hacker forums and in social media.

Overall, “government agencies are struggling to put up effective cybersecurity defenses – and hackers are taking advantage,” the authors found.

Government is failing to apply patches in a timely way, ranking near bottom on this metric. This leaves systems vulnerable, and may be the result of government agencies working with “old legacy systems that aren’t patch-friendly,” the study finds.

Some of the more dismal findings may not reflect imminent peril. Government finished dead last in hacker chatter, for instance, but the authors say this is to be expected. “Often times hackers are mentioning government websites because they are talking about these agencies sanctioning hackers or cracking down on enforcement,” they note.

Other gaps are more substantive.

The poor showing (No. 13) on the network security scale suggests real vulnerabilities, including open access points, insecure or misconfigured SSL certificates, or database vulnerabilities and other security holes. “An insecure network is one of the easiest ways for a hacker to obtain access to sensitive data,” the authors note. “Once a hacker is inside the organization’s network, digital assets can be compromised or stolen outright, throwing operations into chaos.”

Government’s weak showing in the SecurityScorecard rating echoes concerns raised by others in recent weeks. The Government Accountability Office for example has noted that the U.S. Office of Personnel Management still has not sufficiently tightened its cyber situation, despite a widely reported 2015 attack.

At the same time, SecurityScorecard did single out some federal agencies as being especially strong in their cyber profiles. Included among the 10 best-scoring agencies were the U.S. Secret Service, the National Highway Traffic Safety Administration, Internal Revenue Service and the Federal Reserve.