"But 99% of this planet's population are nitwits,"
This! If anyone has a clue at all in CS and IT they will acknowledge this first and then design for the nitwits, but ALSO design for the people that have brains. Because it's us with brains that have to maintain this crap for the nitwits.
Here's the problem, the two are ALMOST mutually exclusive. (Please note ALMOST). One group wants bling ("Ooooh Shiny!!") and the other group wants functionality/stability, or (at least a way to minimize or customize the bling).
"Best Buy officials, while admitting 'human error' among its workers, denies any evil intent and says the false statements apparently made by store employees were a result of confusion and inadequate employee training... The intrastore version is showcased in store kiosks using Internet Explorer and is intended to show customers information about products available in the store, along with their official prices. The problem stems from Best Buy's price-matching policy, which promises to match the price of other retailers, and it explicitly includes BestBuy.com... The problematic scenario happened when customers saw a low Web price and went into a Best Buy physical location to trigger the price match and get that low price. Employees would agree to match the price and would say they are calling up the Web site to verify the claim. Instead of calling up the Web site, though, employees would access the intrastore version of the site, which looked identical (other than its pricing) to the site, and then used that to 'prove' the online pricing didn't exist.""
Consider that this can come in an image file, linked from any web page.
If a government were using something like this as a backdoor it would be very useful. Say you passed a law (CALEA maybe) that forced telecom providers (backbone providers) to allow you to intercept traffic. Part of the specification could allow for a replacement packet/response. You could insert HTML code into a spoofed response that included a link to an infected image.
If I see an IP of interest, hold the responding packets (until I'm sure it's complete).
Parse the returning html, and insert an infected logo at the end from one of our servers.
Voila, instant compromised machine.
Wouldn't this be a lovely (deniable) backdoor?
God, the pain medication must be making me REALLY paranoid tonight.