Thank you for the clarification Dark Viper, and for asking the question CodeALot.
Here is a situation I have encountered with a couple of clients. I was contracted to built websites for them way back when WB 2.8.1 was new and they have managed their sites ever since. As a courtesy I contact these clients with upgrade information (especially the latest security threats) and offer my advice and services to do the upgrades for them. They have always decided not to hire me and remain on WB 2.8.1. They are of the mind that the site works, so why put more money into it. I can't force them to pay me to keep their installation safe. I provide links to the threats and WB Forum follow up info, in hopes of educating them, but I have my doubts if they ever click the links.
My general question is, do any other designers/developers encounter this kind of scenario, and if so, how do you handle it? Specifically, when they continue to hire you to do work on their outdated and un-secure site. I have thought about saying "I will not do any further design/development work on the site until you upgrade to the latest WB version", but I fear they will just stop contacting me all together.
More specific to this topic, since these two sites do not use the frontend sign-up functionality, will this particular vulnerability be removed if I simply delete the signup2.php file, as suggested by Ruud? I know that all the other security vulnerabilities (fixed in 2.10.0) will remain, but I might have luck getting these stingy clients to pay for me to do a really quick fix like this and make their site a small amount more secure.