I blame the programmers for this, but I also blame the sysadmins for this mistake. Before we let any of our developers put anything on our boxes, we have code walks to examine and try to break the script. I personally believe I have worked with some future Darwin Award winners in qa departments I have worked with, but they have made sure our code worked. (They also managed to break code in ways I still can't fathom) It appears to me that the sysadmins are at fault for letting that kind of code to sit on their servers.
just my $.02