"I never imagined anyone would do that!"
Although I like to believe these failures are due to ignorance and not hubris, I find myself baffled that large companies don't know better.
Sure, some designers try to do a good job, but more often than not all they really do is sprinkle security pixie dust on the system and release it to the public.
The facts are: security professionals make careers out of protecting systems and hackers make careers out of attacking systems.
This stuff isn't that complicated, but it's more complicated than tossing a salad.