Is the console logged out? I've found many servers that when the console is accessed, the root user is still logged in from the last time it was accessed. Is there a drac or ilo connection on the server with default or weak passwords that would grant someone console access? How are your ssh keys stored? Are they on an unencrypted laptop, flash drive, or other disk that could be easily stolen or misplaced?
What's to prevent someone from going to the server location, attaching a monitor, putting the server into single user mode, and resetting the root password? Here are some things I would be concerned about:
