>If a user on your website accidentally finds an exploit that could let him steal your user database but he didn't mean to and didn't do anything with it... do you a.) Say "well he wasn't a real threat, back to the TV" or b.) Prevent anyone else from getting in the same way?
This line of logic is going the exact wrong way. In the case of a website, there are known exploiters out there stealing data and money continuously. If you have a hole it will be found and exploited with near 100% certainty. Further, fixing your hole doesn't hurt anyone and usually doesn't even inconvenience them.
Airport "security", on the other hand, is against a threat that never seems to materialize [1] and is massively inconvenient to everyone who uses the system. This sort of thing is just shadow chasing. "Oh noes! If terrorists could somehow weaponize rats, they would be able to utilize the sewer system! We better spend billions to lock down the sewers, ASAP!". This hole has been open for how long? And yet, no terrorist attacks. It's not worth investing the resources it would take to fill the hole because statistically there's no reason to believe it will ever be exploited by a terrorist.
[1] Relative to internet attacks, which are constant, terrorist attacks against the US are statistically non-existent. There are probably more cyber attacks on US websites in a single day than terrorist attacks committed on US soil in its entire history.
> This hole has been open for how long? And yet, no terrorist attacks.
Typically when a website is hacked it isn't because they opened up a vulnerability the day before, it too has been around a while before anyone malicious found it.
The rest of your argument is all about the general security theatre situation, where yes, I agree they are going over the top against very little threat. My point was that, given this policy, they had two choices here - either close the security hole ASAP, or say "to be honest, this whole security thing's a bit of a joke, let's all go home".
Or option 3: "we know we should've known a guy had made it onto the Tarmac before he made it all the way to the terminals. There's obviously something wrong there. But there's no need to worry about ze terrorists storming airport beach fronts, so heavily armed response is probably overkill. It'd be a little difficult to miss something like that."
This line of logic is going the exact wrong way. In the case of a website, there are known exploiters out there stealing data and money continuously. If you have a hole it will be found and exploited with near 100% certainty. Further, fixing your hole doesn't hurt anyone and usually doesn't even inconvenience them.
Airport "security", on the other hand, is against a threat that never seems to materialize [1] and is massively inconvenient to everyone who uses the system. This sort of thing is just shadow chasing. "Oh noes! If terrorists could somehow weaponize rats, they would be able to utilize the sewer system! We better spend billions to lock down the sewers, ASAP!". This hole has been open for how long? And yet, no terrorist attacks. It's not worth investing the resources it would take to fill the hole because statistically there's no reason to believe it will ever be exploited by a terrorist.
[1] Relative to internet attacks, which are constant, terrorist attacks against the US are statistically non-existent. There are probably more cyber attacks on US websites in a single day than terrorist attacks committed on US soil in its entire history.