Its horrible how common this is. I used to do work on local business sites and the security was horrific. Pages that contain sensitive data or even CRM management pages exposed to the public internet with no password at all. On some of the less sensitive ones I had a look I found details of family members in these exposed sites.

Not only that, but it was all horribly outdated. Seen some things running on rails 1 pre release on a debian server about 6 years passed end of life.

Its a wonder the world works at all.