Putting this in Foo because it does not seem to fit in anywhere else.
TL;DR version: A fairly large vendor leaves SQL injection vulnerabilities in about 100,000 websites. A security researcher notices, and alerts the vendor and a few of the largest affected sites. The vendor gets upset that the sites were notified. Researcher then finds out vulnerability was made public in 2010.
There have been no hacks of these websites.
So neither the vendor not their clients care about security, leave a vulnerability open for years and NOTHING HAPPENS.