This is what happens when you skimp on resources for projects, take shortcuts, and frankly, hire amateurs.
So many times I've shown up on projects and client sites, take a quick look at the code, then see how vulnerable a site is with injection attacks. In NYC there's a system in place run by the Government that has this vulnerability to this day. I informed the owners of the system of the presence, but they shrugged it off. At that point it was all CYA on notification about the issue as I was there for something else.
'Hackers' deface UN site