Tell me this, you discovered that your employer stores the user password in plain text. You propose change, but they refused; who do you report? In my experience, pretty much nothing happen until shit hits the bed, there's pretty much zero professionalism in the industry outside of some semi-autistic and OCD people that can't stand this stuff and decides to do it correctly by spending the weekend making sure things are build with correctness in mind. Most people just write stuff until it "works" and leave it at that.
The problem in this scenario isn't software engineering necessarily, it's lack of punishment. Companies do things like this because it's cheap and they can factor in security breaches as simply a cost of doing business. A lot of these problems come as a result of an engineer prototyping or creating something on a tight budget, which then eventually gets deployed out either because said engineer leaves or against their own wishes.
It's similar to housing. Training engineers to build a house correctly doesn't matter if the punishment for the house not meeting code is a slap on the wrist for their employer. Because their employer will just tell them to build fast and ignore the right way to build something.
