QA departments are notorious for not being very creative. You'd need a star QA department to find the /admin hole, I think.

No, you just need functional tests. Having these kind of bugs in a spare time project is fine, but if you call yourself a startup and ask customers to trust you with data, you need to seriously consider security issues.

yea i mean it seems to be a first step obvious point.