Very close to a real world scenario. I usually bring it up to compare big teams to small. (Our small team was being replaced by a big, expensive team, and I found an issue in 15 minutes that the new team had created - despite sharing my findings immediately, it still took their team weeks to find it "on their own", admit to it, and finally fix it.)
There was a CAPTCHA used to prevent bot spam on a contest entry portal. The code that randomized the image displayed was modified to be stored in an application cache that persisted across sessions (meaning every "user" saw the same image and could use the same answer). Guess how useful that was in preventing bot spam?
(The fix was to delete one or two lines of code that were not only not helpful, but obviously harmful!)
There was a CAPTCHA used to prevent bot spam on a contest entry portal. The code that randomized the image displayed was modified to be stored in an application cache that persisted across sessions (meaning every "user" saw the same image and could use the same answer). Guess how useful that was in preventing bot spam?
(The fix was to delete one or two lines of code that were not only not helpful, but obviously harmful!)