[ryandrake]

Perhaps the contractors who built the site followed the letter of the contract, and the security requirements were insufficiently specified. Or maybe, in the case of an internal development team, they followed the spec which itself was ambiguous.

People forget that not all developers out there are Silicon Valley Rockstar Unicorn developers, who are thinking about the product's needs and the users and the edge cases. Lots of this kind of work is done at body shops where, if the customer specified the name input field should allow 8 characters, they'll make it allow at most 8 characters even though they know that people have names longer than that. If it comes back as a change request, $$$ cha-ching!

[kbenson]

I actually wasn't making an argument about contractors at all, but operators. If you operate something that you've been informed is unsafe, you fix it or stop using it. It gets fixed or you are purposefully endangering people that use it. How it gets fixed and who pays are separate issues.