I'm not hostile to Paxum either, and I don't think Paxum is trying to defraud anyone. I wouldn't read as much into these particular issues as ErgoOne seems to.

But I will say one thing from my own experience: It is very easy for non-technical people to assume that because someone knows how to do something and make it work, they also know how to make it secure. And it's easy to assume that because nothing bad has happened for awhile, your system must be at least reasonably secure. And it's easy to assume that because a system is growing, it's also growing more secure -- surely someone's doing that, right? However, these three assumptions are entirely false.

This is especially true for innovative companies that experience fast growth. Mt. Gox, for example.

A small anecdote: The last breach I helped clean up involved a software defect that could have leaked a small, growing company's entire customer and transaction database. The programmer whose code had the bug knew that his code had this type of bug, but he believed it was too difficult to exploit because he didn't know an easy way to exploit it. He, of course, was not a computer security person, so he had no idea that there are toolkits available that make exploiting bugs of this type extremely easy.

And one final point: If you ask these people if they take security seriously and if their code is secure, they will say yes because they honestly believe that they are. And they believe there's no need for other people to audit them. When they see how many vulnerabilities there are and how easy they are to exploit, they are frequently quite surprised. People who aren't security experts just don't understand what the threats actually are.