I told them so...
A couple of years ago, and a bit before that as well. Specifically, I told OpenVPN that the use of environment variables to run executables on Windows was regarded as a security flaw, and how to avoid that. There wasn't any interest -- it kind of seemed like the idea of environment variables as a security flaw was alien.