And, of course, let's not stop there ... let's move to the managers, executives, and sales/marketing assholes who force this shit out the door.
The poor bastard of a programmer who has been told by the VP or the CEO (or the sales wanker) that the product must ship now, or that security doesn't matter is not always the cause of this. Sometimes they're the ones saying "umm, guys, this could be a problem".
So, if we're assigning blame, let's go with the people who are actually to blame and who make the decisions.
In the military, "just following orders" may not be a defense. But in private industry it's often the management who create these problems.
Which is precisely why I say that corporations should be held to a legal standard for the protection of personal information, and should carry penalties for failure to do so.
As long as corporations just say "oh, bummer dude" and have no penalties, they'll continue to cut as many corners as possible. Because there simply is no consequence for them.
I'm as concerned about the management people who don't give a damn. Because they're the ones who make policy and decide that not sucking at security is too costly.
So, want a secure internet? Kick an MBA or a CEO in the nuts, and tell them you'll keep doing it until they insist on secure code.