Security Consultants say it is ‘easy’ to fix an XSS vulnerability. The only people qualified (and entitled) to make this ‘easiness’ assessment are the application developers and business owners. Security Consultant’s responsibility ends when the problem/XSS is reported. It is not the consultant’s that: The root-cause analysis of the XSS reported, where it should be fixed, what is the REAL impact to the business? The business will be the one that has the deal any side-effects created by the fixes, and has to pay for it.”]
Source: http://diniscruz.blogspot.com/2010/09/why-do-we-think-we-can-comment-on-level.html