It's not incorrect, but it's somewhat telling that such a massive vulnerability that they were fully aware of "has been running for a long time" and rather than fork over $179.95 for the new version of aMember which would have completely fixed the vulnerability, they chose instead to let the vulnerability remain while they embarked on a greenfield project to rewrite their membership system from scratch. This rewrite would take an indeterminate amount of time whereas they could have paid a paltry sum for the upgrade and implemented it in less than 48 hours... as they just did.

I get that it's a prioritization issue. I've worked at places where legacy software had poor security practices and it's often a judgment call as to the risk of just letting it be vs. taking the time to rewrite whatever insecure portion remained. Often the decision is to leave it when it's a one-off project that will be shut down within a month, there is a limited attack surface involved, and the data being stored insecurely is very low value. On the other hand, security issues affecting the very core of a website (the login system that 100% of a company's revenue depends on) should get addressed as soon as the vulnerability is discovered. Additionally, they state that a server was compromised... it's not clear whether this was a SQL injection exploit that happened to display the users table remotely with no privilege escalation, or whether the server was compromised via a poorly chosen SSH password or similar and they may be dealing with a situation where rogue code is still living on one or more servers.