|The stupid question is the question not asked|
I work at a mid-sized company that solely depends on income generated by the website(s) it owns. I will add that it does well and wasn't ever really affected by the market fallout.
The company is frugal when it comes to hiring well paid programmers and admins and therefore suffers by not being on the bleeding-edge when it comes to security. I cannot condone these actions but I can certainly understand them. Computers are such commodities these days, that the overall view taken is; we have many replicated backup units that when one gets hacked/rootkitted/fails we pick up one of these units and cart it to the server location.
Very little time is spent hardening the infrastructure, mainly because it was originally built so haphazardly that it would be quite a large undertaking to make it all as secure as possible.
My main focus at this point is creating a large intranet--based webapp, and it is full of security vulnerabilities, I think this is due partly to my own apathy and the pressure to complete the tasks assigned, though rarely I do have extra time by the deadlines and do some security testing. I can certainly understand why an external param run through an eval is a very dangerous prospect. But my apathy stems from the perspective that all systems exist because my company would rather shell out a few extra grand is setting up replicated slaves rather than spending the tens of thousands of dollars (even hundreds) to harden the complete system.
These days all serious companies are trying to make a good go of it and cutting costs as much as possible. In my case this is how the security issue has been dealt with.
On the other hand, when working on my own projects, I make sure they are secure as possible. I don't think there's anything wrong with this approach when your superiors explicitly frown on time spent on security checks/fixes.
I can only sympathize with everyone who sees this as a problem plaguing many companies. It can only get better. When you're a lone ranger, its hard to take on all the bad guys yourself.