This deviation from best practices is far from rare. Any experienced security practitioner can tell stories of other, supposedly security-sensitive organizations, that have the same or even more lax password storage standards. There are a lot of potential reasons for this but I’d like to offer two major root causes:

• In the widely accepted “test ourselves secure” approach, vulnerabilities that can’t be identified during penetration tests or automated static analysis never get fixed
• Very few organizations invest in security in requirements. Hashing and salting passwords is a very well-known security requirement. Organizations that track adherence to security requirements can identify and actively track deviations

There are plenty of security issues that we’ll simply never catch or fix if we continue to rely exclusively on testing & static analysis. Secure Application Lifecycle Management is one scalable, consistent way to ensure we bring visibility to these kinds of issues.