It's honestly quite pathetic, but not at all unexpected these days. I do sometimes wish that when the negligence is so gross (sending API keys in the response of an unsecured request?) that the government would issue a fine. If you don't feel that your developers are security minded, there are many computer security professionals around the globe available to help. Maybe using some of those hundreds of millions of VC dollars for a quick audit would be the norm if there were actual penalties for this kind of reckless behavior.
> I do sometimes wish that when the negligence is so gross that the government would issue a fine
I also think that there must be a line between getting hacked because some 5th level transitional dependency had a memory overflow bug which made it possible for the attacker to push some sensitive data in the response headers vs "auth? what auth?".
Very hard to exactly define it though, where it should lie, other than the extreme examples.
