Yep! I had a department head tell me that we shouldn't prioritize a fix for an SQL injection vulnerability (with full schema privileges!) for a critical system because we have a backup service. I then asked if we've tested it - Nope. I then asked if we had documentation on how to do it - Nope. I left that department as soon as I could.
Not really. It was an internal application, which greatly reduced the risk. The type of information wouldn't be very useful to an attacker. The main problem is that there are developers and business people who also run some SQL and use the system. If they accidentally paste SQL into a search box, it will execute. They could drop tables or anything, even in PRD. If someone were disgruntled or an attacker gained access they could intentionally wipeout the database.
