How I tell my clients that XSS is bad

The mixed bag of reactions to XSS or Cross Site Scripting vulnerabilities is interesting to watch.  As a security professional, I’ve audited banking applications based on web technologies and have in all cases come away with at least one XSS vulnerability.  When presented to the client and to the vendor, I get some interesting reactions.
“You [...]