The Government Chief Information Officer says a review of the IT security of 70 state agencies does not show a systemic problem.
Audit firm KPMG investigated 215 publicly accessible computer systems and found 73% lacked formal security standards and had no formal risk management processes.
The review released on Wednesday identified 12 systems at risk because of insecure passwords, potential access by unauthorised users or being connected to internal networks. However, there was no evidence of privacy breaches.
The review had been sparked by privacy breaches identified at Social Development Ministry kiosks in October 2012 and found 13 government agencies had a particular lack of security around public kiosks and websites.
Colin MacDonald told Radio New Zealand's Morning Report programme that for security problems to be systemic it would mean the whole system is not working, and that is not the case.
Mr MacDonald said there is no question government agencies need to improve the way they control and manage the risks, and a significant amount of work is under way.
"But you can't get away from the fact that it's a risk management issue and it needs to be managed at the right levels in government departments."
Listen to Colin MacDonald
Govt security faults 'could be more widespread'
Technology experts say the review does not tell the full story and gaps in security could be far more widespread.
Business and technology consultant Lance Wiggs says the report relied on information from each agency, and many were unable to show what security was in place.
"The real problem is the unidentified number of agencies that weren't able to report that they had vulnerabilities because they didn't have the systems in place. That's the real issue here, is that they don't know what they don't know."
IT security expert Daniel Ayers says there could be more than 13 organisations with problems because a number of agencies have taken no steps to test security.
Insomnia Security consultant Adam Boileau says empirical testing needs to be done to fully assess the risks and there should be mandatory reporting of all breaches.