The truth is that Salesforce implementation partners vary incredibly widely in standards, and the platform has grown to be so large in part because of its customization opportunities. Salesforce has provided the tools to make the platform secure, but it is up to the implementation partners to use them. The finger needs to point to the partners doing this work.
These aren't mistakes, this is truly people cutting corners to either get a project across the line or to do it cheaply.
The product is essentially something like a very slow, "low-code" programming framework/UI builder. You get a huge variety of quality in Salesforce implementations, ranging from bad to extremely terrible.
These aren't mistakes, this is truly people cutting corners to either get a project across the line or to do it cheaply.