Have an opinion about security? Raymond Chen sure does, and he's not happy when he has to fix compatibility issues caused by patches. But who's really at fault:
-- the client developer, for working with someone he didn't know would later be deemed a security hole?
-- the API publisher, for releasing the security hole in the first place?
Chen seems to come down on the side of the API publisher (understandable, since he works for MS), saying that "The real fix is not to rely on the security hole." That seems a bit self-evident -- after all, few people would rely on a security hole if they knew it was a security hole to begin with.