I have to think even the most myopic bureaucrats would remember to include "cannot be opened except by authorized parties" in a requirements document for a safe.
Yes, but all that will achieve is a tester writing it into their plan to check that invalid credentials don't let you in. It will not magically teach programmers to write secure code.
The bit I was replying to was a hypothetical situation where QA does, for some reason, find the flaw but management rejects it because it doesn't match a bullet point in the requirements. My point was just that if that's not in the requirements then you have even bigger problems. I never claimed or even implied (because I don't believe) that writing down that requirement would actually achieve anything.
