Well, we consider that a small bug or 0day vulnerability in a web-application can open the door to a deeper system impairment. The pirate, once he has access to a system, can attack a network from within, find and exploit relationships of trust and penetrate connected systems otherwise unattainable. For this reason the sql injection, for example, and other bugs in web-applications should never be underestimated!
A sql injection attack is to exploit a lack of validation of user-supplied input to the web-application. Taking advantage of this gap the pirate has the right to insert sql code and subvert the default logic, forcing the system. SQL is the language used to interrogate databases. By manipulating the logic of these scripts, he can also find passwords (encrypted) stored in the database itself. This is one of the most common hacking techniques of recent times.
As I always say, a security system is as strong as the weakest link. Find a weakness and exploit it properly can lead to the total defeat of the security system itself and ... all this because of a clumsy handling user input and no anti-exploit app can 100% protect you!