I can believe they stuck their admin at /admin, but it's hard to believe they didn't create an admin bit as part of the users table and check it to access /admin. That takes about 2 minutes if you do it when you create the system.
Oh well, everyone overlooks something that seems obvious to someone else, I guess.
I'm not advocating firing the developer. If every developer got fired for every stupid silly mistake we'd have no working developers in the world. I was just clarifying the seriousness of this specific flaw. :)