[cyber]

One also needs to take into account how these larger companies' internal groups function.

"Brian" probably looked into it, knowing that obscurity != security, but got a response back from the group responsible that was the way they intended it to work, and that group's management wasn't going to do anything about it. "Brian" may have even put messages in the right ear up the management chain such that it would actually effect the outcome.

The fact that the email exchange lasted 2 months before "Brian" said "Sorry, not a case." probably means that "Brian" was trying to make it happen and had actually done an analysis.

* Note: I'm NOT Brian. I've never worked for Microsoft.

[cmdrfred]

Probably some metric says that if "Bob" gets less than X cases per year he gets a bonus. Problem is "Bob" determines "Frank's" wage and "Frank" is "Brian's" boss. It is probably more complicated than that but that's what it always boils down to.