All the security books I read so far (4 at this point) mentioned the same adage: "The internet is an hostile environment".
If you make a web app, people will try to mess with it for different reasons (ranging from profit to simply messing with it because they can).
No point asking the scripters to stop. There are hundreds (probably thousands even) of these morons out there and the only way to alleviate the problem is to deter them with good security and whenever possible, identify them and stick a lawsuit on their sorry arses.
The fact that scripters managed to mass-produce provinces shows that the security of the game was inadequate.
Then again, most companies nowadays don't take security seriously enough so the problem is not unique to S&B.
If nothing else, I'm glad I got to witness the damage these degenerates can do on someone else's app (as opposed to my own). It was very educational.
I'll be sure to crank security a notch and come down hard on those m***os.
If I make a sizeable profit, one of the first things I'll do with it is to get myself a good lawyer.