vendor (Score 1)

I'm certain it is a problem of the company. The company should A) have a qualified application designer who accounts for security related issues, B) have the QA plan to test security issues, and C) have the ability to respond to security issues with rapid patch deployment. Unless a developer maliciously includes security holes or deviates from a standardized development policy (and in this scenario, it's the company still, but they can take it out on the developer) I believe it's like anything else, where the employee (developer) is doing what the company asks of them. If the company does not have a standardized development policy that includes security related strategies, then the company is at fault for failed responsibilities. Cheers. Oh, and I don't know if this has anything to do with the topic.