Some bugs are incredibly complex, however I do not think that exposing the user id in an HTML form and having a skeleton key style confirmation code that is not directly linked to a specific user is a complex bug. I agree that you can't just pay some large sum of money to have everything fixed before release: bugs happen. But security should be one of the number one priorities when designing and developing a new feature. This seems like little more than negligence on the part of the dev team and I think it is right that people are upset/bewildered that a security bug like this could be put into a production feature.