Not sure if you included it above but a big lesson there is that even though it's very easy to prevent this kind of thing in software, when the incentives are going in the opposite direction, the software provider will likely do a shoddy job (e.g. the unvalidated URL param). The ole "It is difficult to get a man to understand something, when his salary depends on his not understanding it."
The developers' salaries depended on kids changing url parameters to spend their parents' money? I doubt that. I doubt the developers ever expected this to happen.
