I dunno, I've been in many situations where I've personally pointed out defects like, "this allows a user to create orders for other users," or, "there are credit card numbers being dumped in the stack Trace" only to have any form of suggested remediation panned by decision makers because they didn't consider it high risk.
You don't know that the system wasn't designed to have high and low risk messages, the contents of which were not generally known until runtime but we're adequately handled, and the person managing the application chose to create the two message entries as low priority messages, breaking process.
I'm going to treat your perspective as, "if this scenario is the reality, the dev messed up," while understanding that in the scale of things that get budget or priority, PEBKAC Byzantine correction layers are generally filed as nice to have by the people signing your check, and doing work on things which were not explicitly approved is a good way to end up without a paycheck.
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.