I do performance / app triage work, but see the same thing. Often I walk in to a supposed "emergency" only to discover the problem has been occurring for months, if not years. Often, there is a significant cost (IE: in the millions) but either the organization isn't willing to remediate, or isn't even aware of the full scope of the cost (IE: "It's not my budget so I don't care"). In at least one case, I came across a security problem where the response was "oh yeah, we've known about that for years". Sigh. Sadly, too often unless companies have a very large customer who gets angry with them, or they are publicly shamed for a problem, they just let it magically go.
I came across a "hole" in the design of a vendor I was evaluating. Their fancy Java UI actually just downloaded plaintext root credentials to their MySQL database. All security was client side. As a bonus the root credentials were debug logged to the user's local computer.
Making it worse, they actively sold this as a multi-tenant platform to be used with mutually untrusting parties.
When I met with engineering and started to explain, they started smiling and said "this is a known issue and we're going to fix it in our next version."
Quite some time later I ran across people using it in the wild and they had not passed a lot of the glaring holes. Even their newer version had a hidden input field on the edit profile page named "IsAdmin". This did exactly what you think.
They ended up having a successful exit as far as I know and I've never heard anyone speak ill of them security-wise.
Telecom is a mess. These holes are easily exploitable for direct profit. But there's so much more low-hanging fruit, I don't think people bother.
This stuff is really the ultimate technical debt. Fixing it seems to provide zero benefit today. But there is a significant chance that one day it's an extinction event (or just a billion-dollar blunder, if you're big enough to survive it).
Risk v. reward I'm afraid. The Sarbanes-Oxley legislation attempted to put skin in the game for the C execs in public companies; so, I cannot help but notice how many public companies delisted, went private after that. The whole of the corporate charter was meant to insulate investors' personal wealth against risks. I guess this is where licensing can provide a backstop to poor development practices, but it seems to have not really caught on.
