Your descriptions of the painful bugs are all apt, your absolutely right that it should deter anybody from feeling like their data is in good hands.
But just as you can find a bug deep in the code, you can also go up the stack and ask how it got there: how were the specs for a valid username defined and published? Where were the tests—or at the very least, QA procedures—that should have encoded and verified those specs? Where were the managers that should have made sure those tests existed? Where were the manager's manager that should have delegated resources to the manager to get those tests written? Where was the manager's manager's manager who knew how to hire someone who would value quality control? Who was on the government procurement panel that did not adequately assess their contractor's ability to deliver quality?
But just as you can find a bug deep in the code, you can also go up the stack and ask how it got there: how were the specs for a valid username defined and published? Where were the tests—or at the very least, QA procedures—that should have encoded and verified those specs? Where were the managers that should have made sure those tests existed? Where were the manager's manager that should have delegated resources to the manager to get those tests written? Where was the manager's manager's manager who knew how to hire someone who would value quality control? Who was on the government procurement panel that did not adequately assess their contractor's ability to deliver quality?