It seems like cybersecurity is in the news all the time these days, with scams more prevalent than ever and phishing on the rise. So you’d think major web sites would be more secure than ever, right? It turns out that some of them are, but some pretty important ones aren’t.

According to a new report from the Online Trust Alliance, consumer sites like Twitter and YouTube have some of the best security practices, and are the most “trusted” at keeping user data safe. But over half of government web sites are exposed to cyberattacks, which is a bit alarming considering the nature of data that’s often transmitted through them.

This year is the ninth time OTA has released their annual “Online Trust Audit & Honor Roll.” For the purposes of this report, only sites that require users to create an account are checked. The group analyzed over 1,000 consumer facing web sites for privacy and security measures, and found that 76% had a high enough grade to make the honor roll.

While there were more “trustworthy” sites than ever, only 39 percent of U.S. federal government web sites made the cut. And only 27 percent of Federal Deposit Insurance Corp. 100 bank sites. For government sites, that’s actually a significant decrease from 46 percent in 2016.

The report noted that since many people are paying more attention to security, there’s not a lot of middle ground. Websites “increasingly either take privacy and security seriously and do well in the audit, or lag the industry significantly in one or more critical areas,” it read.

Help could be on the way, though. In 2016, President Barack Obama proposed a $19 billion cybersecurity plan to modernize and replace the government’s information technology systems. That was followed by an executive order from President Trump that’s aimed at protecting the USA’s infrastructure systems and government information technology networks from cyberattack risks.