in reply to web site design, or lack thereof
I am not surprised because if the management is not security conscious, the web people aren't going to be.
In your stories case; the management did not understand or care about security to hire a designer that is concerned. Then again, he might have been the cheapest they could find! ;-)
Even though your claims about losses are right, to many executives they see a large expenditure for something that might happen.
Another school of thought and a phrase I have even heard "Put it now, we will fix it later" Why delay the roll out with the security design? We can always add it later! *Shudders*
Makes me believe the Peter Principle is fact! ;-)