Fresh crop of computer science graduates should be those from which this should never happen. They are newly trained, supposed to be security awared. Particularily if they have to deal with web sites programming. This is the lamest excuse. I can rather than that old programmers getting a new assignement with web programming will not know how to circumvent such a problem even if they have heard about it in the news. Employers are often trying to save a few bucks on training of old farts.
However, I believe the real problem lies with the level of training, academic or not, the programmers have. Someone without any proper background may get assigned to a web application design. I have even seen architects without proper skills. I have seen managers which want to save a few bucks and asked to skip the error handling design and so on. This industry is sometimes really insane and these incomptent managers/architects are still rewarded until the company get hit by an exploit due to their incompetency.
I can give names, but I won't.