Some services will ignore security entirely at first, because it doesn't directly contribute to getting a viable product to market quickly (obviously, users will use an insecure site or app so long as they don't know how insecure it is). Then when the app becomes viable, they will continue to ignore security because it doesn't directly contribute to growth. Security becomes part of the nebulous "optimization" stage which is pushed somewhere down the road - and at some point the application becomes so complex that security isn't deemed worth the effort or the money.
I'm not saying that's what happened here, and depending on the language and platform you're using, xss can be a difficult problem to solve. But it does seem to be a common trait to disregard security until you have to apologize for it.
<script>javascript</script> is the first payload you try when looking for the stupidest XSS you can find....