Depends on who you're talking about. An XSS vulnerability in a web app will get you shelved at a Fortune 500 company. When new apps get deployed on customer DMZs, third party audits happen. When they find vulnerabilities, you spin dot releases. On a typical 4/2 dev/qa dev team, in the hopelessly optimistic case where you can turn a QA'd dot release in 2 weeks, you just lost $37,500.
I do. Look, most users cannot care about this vulnerability because they don't even know about it. Besides, most of them have a good reason not to understand the implications: it's not their job.
I think users deserve more respect even if they're incompetent out of their fields of competence.
