Slashdot had an interesting post yesterday that I did not get a chance to comment on. I have seen similar situations, though not directly ethicically related. A company I used to work for refuses to take security serious because of the amount of extra work it would induce. I left over half a year ago, and I guarantee the workstations have not been patched since I left. As for the servers, I don't think they were ever patched in my three-plus years of working there. I explained, and I preached. But the culture was not to take it seriously. In patching the machines, the company would be filling a big hole. But there are applications that would need testing, and minor issues would need to be fixed; and the time is not considered well spent by doing these activities. I know the big fear in patching the servers is that the enterprise applications will fail to work after patching.
I've seen clients that don't want to implement any kind of security, but more out of ignorance than anything else. Typically, I've been to these clients in order to fix a problem; a problem that might not have occurred if basic security practices were employed.
Fortunately, I haven't had to deal with outright ethics dilemmas. I can only imagine the headaches there.