I think this is one of the things that Microsoft did a pretty good job with. There is a security process in place that every product goes through for every release. While it still can't catch everything, even the simplest of threat models would have caught a bug like this.

While Facebook most likely does do some form of threat modeling for their main site, without a rigid process for all code that goes public you'll run into issues like this that are just as severe. Just because it's a mobile support site for requesting photo removals doesn't mean it is less important surface area in terms of security.

Exactly. As little as possible should be passing through the querystring. Put in the minimum amount in the QS and look the rest up in the DB. If possible, the QS should be signed for an extra layer of protection.