A report found that over 60% of surveyed state agencies have not performed cybersecurity risk assessments.