There are three or four other major findings – issues about the amount of security training available for software developers, their awareness of security issues and their tendency to use the need to deliver software quickly as an excuse for building apps insecurely.
All those would be worth some discussion at some point.
They're all relatively high-level security issues compared to the lock-the-basement-window level of Duh-awareness necessary to realize that if you're going to put an app out on the web for the public to use, you have to reinforce it so at least the most common forms of attack won't work the first time or two.
Leaving those gaps unfilled isn't just asking for trouble. It's a demand that someone pwn your application quick, before you have to do something even more obvious to draw trouble – like allowing your 256-bit WLAN key make you feel secure as you leave the server closet and external building doors standing open as you log off the network and head for home.