Founder and CTO of WhiteHat Security, Jeremiah Grossman has offered ‘some reasons I've heard over the years’. In no particular order:
1 No one at the organisation understands or is responsible for maintaining the code.
2 Features are prioritised ahead of security fixes.
3 Affected code is owned by an unresponsive third-party vendor.
4 Website will be decommissioned replaced "soon".
5 Risk of exploitation is accepted.
6 Solution conflicts with business use case.
7 Compliance does not require it.
8 No one at the organisation knows about, understands, or respects the issue.
Grossman also asked for further contributions, which came in as follows:
1 Lack of prioritisation of the issues
2 More security scanning solutions are too expensive
3 Organisation ignored AppSec Consulting Service's industry best practice recommendation and tried to fix it their own way
4 Vulnerabilities are misunderstood
5 IT managers lose kickbacks from security software providers if they patch every hole
6 There is no budget to fix the holes
7 'It’s always been done this way'
8 No one asked us to change it for last 50 products we developed with same code, why you now!?
9 No one will hack our product/site (its always others)!