I'm the guy who originally contacted Troy Hunt about this, as he mentions in the blog post.
What annoys me is I'm a very young developer, and I've only really just become interested in security (12 months ago I didn't even know what hashing was!!!), yet there's developers out there with years and years of experience making huge sites for the likes of Tesco and TopCashBack for vast sums of money and they don't think about incorporating even the simplest foundations of internet security a novice like me would implement without even thinking! How is this possible?! If I'm doing it in tiny little php sites with 1 unique visitor ever, why are these 'experts' not in there huge corporate sites with hundreds of thousands of users a month?!
I could cite multiple reasons, but the main one I see is that the people who pay for and specify the requirements of a project are often nontechnical and don't delegate any decision making authority to technical personnel, no matter how much talent is in the pool. Repeated attempts to bring up issues are met with blank stares, as if a foreign language is being used (and to nontechnical people, it is). I've gotten calls at 5 PM on a Friday that "Our new site (hosted on a third party server) is going live on Monday! We need a domain and an SSL certificate." In a corporate or institutional environment, bureaucratic obstacles can make such a request impossible. Throw in a VIP who won't budge, and you're about to ruin the weekend for multiple employees who will remain gun-shy about disclosing any problems in the future.
Years and years of experience? Often not, and that's speaking from years and years of experience!
Vast sums of money? Yes, at least the outsourcing vendors who churn this sort of thing out.
Unfortunately you're the exception Mark so good on you for that. Well I mean unfortunate for the greater web using population, but very fortunate for you!
To expand further on those points with a personal anecdote... I worked on a "big website" for a very big government department. I was still in university at the time, had about a year's experience with the platform, and was earning close to callcenter wages.
The government only contracts to companies on a particular whitelist, which we weren't. They paid a company something in the region of £300,000 for the website.
That company then outsourced 100% of the work to the tiny (single digits employee count) company I was at.
They paid us £40,000.
My share of that works out at about £2,000.
The fact something cost half a million dollars in no way implies any kind of quality, or that the people working on the software will know what they're doing. (Really: another horror story involved a website that only needed to work in IE6... and had been built and tested purely in Firefox)
Businesses care about loss, not security as an intrinsic merit. They will invest it only to the extent to which problems are actively costing them sales, raising expenses like insurance or are required to comply with some sort of regulation (government, credit card processor, etc.).
Something positive like a site redesign perceived as increasing customer appeal or negative like an expensive legacy server upgrade often trumps security unless it clearly poses a future risk – this is also why many large companies tend to follow the trailing edge as the main concern is usually avoiding a lawsuit alleging that they were significantly worse than everyone else in their industry.
Because huge corporations often prioritize other things over technical expertise, and experts often prefer to work in settings other than huge corporations.
This is not always the case. Lots of marketing/PR companies started off in the pre-Internet days, and simply added websites to their list of services and rely solely on the experience of their devs to handle the rest. I was a contractor for such a company and to cut costs (read: to save on paying me), they hired a junior developer with no formal education, who specialized in copy-paste programming to do many of their large sites. He's since left, but the damage he's done still lives on in the countless sites he built for their clients, which are full of horribly insecure code (especially #1 on the HTTPS no-no list).
The good news is that, following his departure, I got plenty of work doing clean-up jobs on all the sites he built. :)
In any sufficiently large organization, the people who make the decisions and the people who enact those decisions are separated by distance, background, experience, or other reasons. This is why you see so much dysfunction in large organizations, and it extends to politics and other things that affect you as well. Look for it and you'll start seeing it everywhere.
What annoys me is I'm a very young developer, and I've only really just become interested in security (12 months ago I didn't even know what hashing was!!!), yet there's developers out there with years and years of experience making huge sites for the likes of Tesco and TopCashBack for vast sums of money and they don't think about incorporating even the simplest foundations of internet security a novice like me would implement without even thinking! How is this possible?! If I'm doing it in tiny little php sites with 1 unique visitor ever, why are these 'experts' not in there huge corporate sites with hundreds of thousands of users a month?!