This is “the tire shop doesn't have a torque wrench” level shit. If it's an oversight, it's an oversight due to incompetency, not because a good team just happened to miss something in a crunch. Another possibility is that the issue was raised and management said to fix it later, and because software “engineering” isn't a real engineering field that holds its practitioners to any duty of care, those responsible (the engineers) just went along with it.

For 3 years? That would mean that no developer has ever raised these issues with management, to speak nothing of an actual pentest being conducted.

No, this is not some obscure security hole they forgot about. This is plain incompetence and/or deliberate design decisions.

I agree that full public disclosure like this is irresponsible, but exposing issues like this to the public is the only way for such companies to make a change or, preferably, lose business and shutdown.

No auth at all? For years? That’s a tremendous oversight. Nobody running a test having to authenticate?

Because they don't care, and their customers don't understand any of this shit?

It feels like the usual case of vendors buying service to better exploit the users, and themselves getting burned and/or exploited by that service too.