Many businesses don’t have full time developers. They contract out to agencies who build the website for them. The agencies have a rotating cast of developers and after the initial encounter with their good devs they try to rotate the least experienced developers into handling the contract (unless the company complains, which many don’t).

The vulnerability emails probably got dismissed as spam, or forwarded on and ignored, or they’re caught in some PM’s queue of things to schedule meetings about with the client so they can bill as much as possible to fix it.

> Some days I think one ought to be licensed to touch a computer.

There are plenty of examples of fields where professional licensing is mandatory but you can still find large numbers of incompetent licensed people anyway. Medical doctors have massive education and licensing requirements, but there is no shortage of quack doctors and licensed alternative medicine practitioners anyway.

Sadly, this is true, and theres probably much more. We did our best, sent customized emails to each of them, telling what was affected, how to fix it, and how to get in contact.

Correct, that's why we couldn't post a list of affected sites or malicious actors would immediately abuse it :/

It seems reasonable to assume that the exposed information has already fallen into the wrong hands. Might as well post the list at this point (or at some point, at least) so that any users of those sites can become aware, no?

Shouldn't encrypting all databased records be the only sane, safe and legal solution with decryption key sent to local (to the website owner) law enforcement when site owners aren't responsive?

Not saying you should do that given the current state of the laws.

It'll now take them 2-3 weeks to get the details.

Until PII compromise puts a company out of business, it's just a cost (to you) of doing business (for them).

True, but also better than threat actors getting to it and dumping the DB, causing more problems for the customers.