One might suggest that the agreement was for the developer to only provide a basic password protection scheme, maybe to just prevent robots and other crawlers. Perhaps the assets and documents located behind the login screen aren't sensitive at all.
Heck, maybe the password is publicy posted in other forums.
What does concern me, though, as a web developer, is the liklihood of someone assuming that the security of this form is no weaker than their bank. That is, an employee may upload a truly sensitive document to this location under the assumption that this form provides adequate protection.