On one hand, you might find an online bank's intrusion detection system tuned down because a web application's transaction validation causes chatter on the network -- an instance in which two good security controls unintentionally butt heads.

On the other hand, when the frustrated developer can't get a banking applet in the same system to work until her network admin buddy wipes the firewall rules clean with a bidirectional "allow all," someone needs to light up the firepit and break out the barbeque sauce. The two are not equivalent situations. A sane workplace wouldn't treat them as equivalent .Clearly a bug, a vulnerability, or any other error condition is not prima facie evidence of incompetence or wrongdoing.

True, any IT or development group should reward good performance and weed out the bad.

It's perfectly reasonable to dig into flaws and vulnerabilities to see if they were caused by incompetence or malice.

But the superficial act of punishing discovery doesn't substitute for conducting introspective rootcause analysis.