[raesene9]

If https://old.reddit.com/r/msp/comments/ocggbv/crticial_ransom... is correct a compentent web application security review (white box or black box) which was correctly scoped to include the affected files would likely have found the SQLi and authentication bypass issues (mentioned in update 12)

Without seeing the codebase in question, you can't be sure, but having been a web app pentester for 10+ years, these are the kind of issues that were found regularly, and whenever I saw classic ASP in tests, they were the kind of issues I'd be looking for, knowing the inherent weaknesses in the platform.