Here's the thing, a lot of times people just don't care. I've sent emails to Amtrak, USPS, SallieMae and many others about bugs on their sites. Most of the time I just get canned responses saying they'll look into it or reply with something totally irrelevant. Sure it probably would have been the courteous thing to do by sending the webmaster an email first individually, but if you were the client, wouldn't you want to know about this vulnerability? Wouldn't you want to know your database has been compromised?