So it's possible to compromise a Basecamp account when the victim, with a valid session, clicks on a link. I think this is a bad thing to have happen. Basecamp considers script injection in their application a feature. While I can see the justification of this for the private forum and maybe other areas of the application. I can't see this for anonymous portions of the application. I think that Basecamp support is programmed to copy and paste the response I received that they didn't bother to really consider what they are reporting.
Moral of the story? Not all companies give a crap the security of their customers accounts and data. It is up to you as a business to take control of your security, have the software and services you used assessed so you can be comfortable in your security posture.
Also: XSS is not a feature.
David Hansson from 37signals has confirmed that the anonymous xss within the search feature has been addressed. They have also created a firstname.lastname@example.org address to accept security concerns for their sites. While this does not correct all of the security concerns with basecamp this is a great step forward for 37signals and hopefully marks the start of a higher priority for security.