I'd say it closer to: "if he monkies no pun intended) with the alarm system, without authority--and possibly without the skills to know that the monkeying is improving and not worsening the risk

It sounds like anything short of placing a button saying "click here for all our clients credit card numbers" on the main page would be an improvement.

The true crackers, the one's that you never hear about because they do their dirty deeds quietly, without fuss and without leaving traces.

Exactly, so why would they sit idly by for weeks (or years from the sound of it) while the site's vulnerable? They wouldn't, and quite possibly, didn't. In any case, this is no excuse whatsoever for not securing a system.

I also fail to see how tilly's situation is in the slightest bit relevant to this. Maybe if Gerard was rewriting the system on company time and attempting to release the source code for it, without his employers permission, after signing a restrictive agreement, tilly's situation might be apply.

First, he has already tried to get authorisation to make the improvements...and was turned down! Hence his question.

Well, the obvious replies are "decide if you really want to work there" and "listen to your employer, don't go looking for trouble" but those are boring and I get tired of repeating them :). I also don't think avoiding trouble is the best career move, there is something to be said for initiative.