You have a very rosy view of software development within the private sector. I spent 30 years doing database development for private companies on products that were sold to customers and I can only say that putting your trust in them blindly is a bit of a mistake. At least with an in-house app, I know exactly what I am dealing with and the only person I need to trust is myself and others in the team.
If a school (head, SMT, governors, parents, staff) decide to use a open-source product to access their MIS system, which is fine, they have to access the risk and the damage that it could cause if a security hole is exploted. If you purchase a product off the shelf, the company would have hired a 3rd party to regularly security check there software and would have insurance to cover any costs that might occur if the worse happens.
I am entirely comfortable with what I am doing, how I am doing it and perhaps most importantly why I am doing it. I don't believe there is any danger of me being fired for doing it, but thank you for your concern. I'm a strong believer that we own our own data and have the rights to access it in whatever way suits us best. I'm not encouraging others to follow my 'lead' just trying to put information where others who might find it useful, might find it.
Clearly posting on a public forum that you're ignoring the approved methods of data access is silly. If you've actually done it, your leaving your school vulunable and unsupported is professional gross misconduct. I hope for anyone sake that ignores the approve methods that they have covered there backs (in writing) and for the schools sake, they don't end up getting hacked.