Follow
I literally faced a customer who told me they won't fix a SQL injection I found in their code because, wait for it:
- No customer asked for it.
My line of argument was that customers generally tend to assume kind of by default that the software will not randomly spray their most sensitive data on public web pages...
But the business wasn't convinced.