It's not just strcat-ing paths together. It's … everything. I've seen databases with crap passwords (think "admin"/"admin"), because someone didn't want to take the time to generate one securely. I've seen systems subsist on a shared username/password (despite that being a security policy violation) because the sysadmins on the same security team responsible for Okta a.) can't take the time to get the assignments done and b.) don't understand Okta (or OIDC, or SAML, or …). I've seen people argue for "I need the list of user emails to import into MailChimp" — no, you most certainly don't: you need to write an email within the system's pre-existing mail functionality, since that respects the users' prefs as to whether they get your spam or not — and then escalate because that's not what they want to do, despite what they want clearly being wrong, and at worse, being a violation of anti-spam laws. I've seen people repeatedly fight factoring stuff into a library "well, we're just going need this code this one time, putting it in a library is too much work" — and they're the forth person/use-case to utter this — and then proceed to hit every corner case that such a library could encapsulate nicely. (But even after that: "so, now that you've hit all the bugs and corners, are you going to library-itize it?" "no, we only need it this once, it's not going to be needed ever again".)
I don't know how to raise the bar. HN itself perennially whines about interview processes that deliver any assessment of the candidates technical acumen — or lack thereof. Interviews will be Y/Y/Y/N with the lone dissenter being the only technical interview.
And there's no reward in trying to maintain the bar, AFAICT.
