Re: About what I'd expect, really
The lowest bidder is still informed of the requirements. It isn't who can just flat out do it cheaper, it is who can do it cheaper meeting X, Y and Z requirements. Then there is confidence issues to be addressed, after that the "favorites" game happens...don't want to appear to be playing favorites!
It is possible that the scripter (scripter a word?) that was in charge of this scripting was reading a requirement sheet that read, in a way, that this was an actual requirement. Scripting languages like ASP, PHP, Python etc. are easy to throw together with or without security in mind, but that doesn't mean your boss knows how to. Between your boss, requirements, and a lethargic "team response" from the government, a lot of dangling holes appear and remain. Think spaghetti code put into a high heat spin cycle...results may vary.
The problem isn't that this bug was present, the problem is that no one knew this bug was a problem. Code auditors are extremely scarce around the DHS...apparently.
P.S. I don't understand if "scripter" is a word or not, seems legit.