"Getting copies of all printed documents is definitely a security vulnerability, but I think the biggest threat is that the printers are inside the network, and are a more-trusted launching pad for onward attacks."

Bruce Schneier wrote about printer security after he attended a presented at the Black Hat Conference.

I have similar experiences; once installed, printers are often left alone by many IT departments. Even printers that were decommissioned can regularly be found on the network.

The approach that we have taken is that we have put all printers on a separate VLAN, which only allows incoming connections from our printer spoolers. It blocks outgoing connections completely. Furthermore, all critical VLANs explicitly refuse incoming connections that originate from the printer VLAN.

When we set up this system, we did it because it appeared to be the right thing to do. Reading this blog entry supports that feeling.