I know some people involved in one that might possibly win the award for the worst ever.
The scene: development of an on-line pharmacy. Users would be entering personal identification information, medical information. HIPAA protections required.
The main character: a Fortune 500 company doing the development, mostly in-house.
Secondary character: a very large communications vendor
The good guys: the development team
The bad guys: their management
The plot: main character buys a Customer Relationship Management (CRM) system from the communications vendor. The only piece not developed in house. The CRM system runs on SQL 2000.
Which thickens: the CRM product has its login hard-coded into the app, and the vendor won't change it. The login: sa, blank password. The good guys try their best to put the brakes on the project, pointing out the even if the system doesn't get hacked from outside, HIPAA-protected information will be available to anyone in the company who can discover default instances of SQL Server. The villians press forward anyway, launching the site without ever reporting any concerns to their superiors.
Several years later, under new management, the site is still live, still unprotected, the CRM product is no longer supported by the vendor. The good guys report the issue again during a security audit. New management pushes concerns up to senior-level management but it never gets to the executive level. The server gets put behind a firewall to at least attempt to protect it from insiders.
The end: a couple years later the online pharmacy is finally shut down. No one knows whether any information was ever compromised. Probably not, but that's the point: who knows?