For the sake of professionalism I will decline to name the company in question, however their response to a recent comment I made to them caught me off guard.

The background is that we just signed up with a third party service for a certain web based application. A domain name pointed to the old site we used to host ourselves, therefore it was included in our regular vulnerability scans. With the acquisition of the new service, I repointed the domain name to the new site which they host as a SaaS. By accident I therefore performed a vulnerability scan on their network. But boy was I surprised to find 6 major PHP security holes, and discover their SMTP server is a complete open relay.

Since confidential client information is stored on this site I had to inform them of the situation. Here is my comment to them:

We used to have a host name host.ourdomain.com that pointed to our (self hosted) Service X site, before we signed up for Service X. As part of regular maintenance I run monthly vulnerability scans on our domains. Since I moved host.ourdomain.com over to point to host.yourdomain.com, I neglected to remove the host name from this month's vulnerability scan. Thus I scanned your network by accident.

The issue however is that I see your network contains a large amount of security holes. Since our confidential data is stored on your servers, I'd like to understand how this came to be and what you will do to rectify the situation?

See attached report.

<Attached the result from a Nessus scan>

Their response:

Thank you for the update.

The vulnerabilities are related to PHP rather than the Service X or specifically to our servers. Indeed we are aware about the vulnerabilities and we are already in process to plan the PHP upgrade for the whole cluster. At present we are in testing phase, however, it will be dealt at highest priority.

Needless to say, pointing the finger to the supporting framework / language your system is built on does not evoke warm fuzzy feelings of trust.