Having implemented security protocols and used state machines to track state, this is a surprisingly easy (if embarrassing) mistake to make. It’s very easy to spend a lot of energy validating the documented state transitions and essentially forget to ban all other transitions.

For me this is much less “OMG how could they be so careless” and much more “There but for the grace of a diligent set of testers go I”