Years ago I stumbled a hideous flaw in a clients website after being asked to retrieve a file from it: Directory listings turned on and folders filled with customer accounts, details, histories, etc.
Luckily I had read enough Slashdot to understand I shouldn't just bang an email out to them explaining that I'd just perused thousands of customer files by simply chopping the filename off. No, instead I reported to my superiors and warned them to let the CEO himself "gently" suggest this little oversight to the other company and keep my name out of it. So it was, and nothing nefarious came of it.
As IT pro's we must understand that what sounds trivial to us sounds like (car analogy ahead) this to a customer:
"Oh hey, that lock on your garage is useless, I mean I picked it in like 5 seconds. Then I unlocked your car too, and started it, and drove it around the block. Just wanted to let you know you should be more careful".
It is not like that, but it sounds like that. S'all I'm sayin.