I don't really understand why it took until the 29th to advise users that they should probably restore from backups. We have backups of course but each day that goes by makes restoring from a backup almost exponentially less feasable.
People who are active in the community and spend all day in #drupal on IRC might stay on top of the aftermath of something like this. But I don't think most users of Drupal employ full-time babysitters for their CMS. Many Drupal site administrators are probably not the most technical either, it's a point-n-click application, so why bother employing a sysadmin when we can pay for Jonny Wordpress to have a morning of Drupal training and a book to not read.
At best Jonny Wordpress might subscribe to the security announcement feeds or mailing lists. Perhaps even these... https://www.drupal.org/security/rss.xml and https://www.drupal.org/security/psa/rss.xml
In which case he would have no idea of the total sh*tstorm that's rained down in the intervening 2 weeks.
SQL injection is horrendous and especially bad news where so much of a site's structure and config is stored in the database. And even worse when the bug has been present for the 3+ years since the release of Drupal 7.
I've always thought Drupal was a total dog of a CMS. Unfortunately though it's the easiest dog there is for fudging custom applications without too much actual development experience required.
Typically I see 200+ DB queries to load a page, 4k+ in some cases with a totally cold cache. And people wonder why their Drupal sites have such poor performance! The best way to use Drupal is to not use Drupal at all, and I'm not just being an arse by saying that, i mean just use it as a glorified static HTML generator and cache the result in Varnish/nginx.
IMO if you need 300 modules and blobs of code to get a thing to do what you want, you should probably be doing it yourself anyway.
Lol, I suppose the old witty IRC reply to questions/requests for help does apply in this case... Not happy? Ask for a refund*
* I'm not slating open source in the slightest so pls don't downvote. Anyone who works with open source projects will have seen someone reply with that at some stage.