Exactly. Often in BigCorp type places bugs are classified as deviations from requirements. If this poor design was the requirement, then any objections that may have arisen would've probably been classified as suggestions instead of bugs.
I have to think even the most myopic bureaucrats would remember to include "cannot be opened except by authorized parties" in a requirements document for a safe.
Yes, but all that will achieve is a tester writing it into their plan to check that invalid credentials don't let you in. It will not magically teach programmers to write secure code.
The bit I was replying to was a hypothetical situation where QA does, for some reason, find the flaw but management rejects it because it doesn't match a bullet point in the requirements. My point was just that if that's not in the requirements then you have even bigger problems. I never claimed or even implied (because I don't believe) that writing down that requirement would actually achieve anything.
