true. I once worked at a bank and we used a 3rd party data warehouse web solution to get started with a new business. 6 months into it, i noticed that I could access cross customer information by modifying local javascript variables. When I brought this up to my manager he told me to patch this up asap. which i did, using MD5, because i was a jr engineer back then and didn't know any better (and apparently neither did my manager, nor the creators of that data warehouse)

my point being, without guidelines, or regulations, or some sort of security rating standard, managers will continue to make these mistakes.