Web Site Vulnerabilities

Recently I came across two web sites that had various vulnerabilities. 
One was subject to a basic SQL injection attack to log in to their 
customer side, and the other was displaying ASP code in the page that 
listed not only various function definitions, but login, URL and 
passwords (including sa) for their database.

In both cases I have working relationships with the managers and sent an 
email off to them. In both instances the managers replied that they were 
aware of the issues and the SQL injection attacks, but didn't feel it 
was a priority to fix.

On one of the sites I could understand. It is basically a portal to 
publically available information, and no secure information is stored in 
their system. The second was on a machine that passed authentication 
information to a remote banking site and though I don't know, would 
surmise that it might be possible to jump off of it if compromised.

Have we really become so lax in our thinking that security issues such 
as these can be shrugged off? Don't get me wrong, I'm not suggesting 
that either of these cases should kill all development and immediately 
fix it (though in the case of SQL injection attacks it is so easy to 
fix...). But some response should at least be justified (for example, 
with the banking site, whose vuln is still present). Or is it fine to 
postpone worrying about problems such as these if you don't think they 
will have an impact?

Cory