I edited my post, but I don't think that's really fair. The business most likely outsourced the development of their site to someone who probably assured them that they would build a secure site. The business probably trusted them (maybe the developer was even recommended) yet here we are. The business didn't know enough about building a secure website, so hired someone they assumed did.
A solution to this is to hire a pentester for your site. You can find them for ~$5k, with followup tests for new features being around $2k. A professional, world-class pentest runs around $50k, but a lot of smaller sites can't afford that.
You can't really hire someone with the expectation that they'll develop secure code. Finding flaws in code people thought was secure is a pentester's job, and it's a completely different skillset.
Yes. A lot of them also respond with threats when you try to contact them to tell them about vulnerabilities. It's not really up to the author to shoulder that kind of responsibility.
What's even your analogy here? Because sometimes people have bad luck and you can make up a completely unrealistic scenario of how bad luck someone possibly could have, we should not hold anyone responsible for anything?
To give you an idea of how unrealistic your scenario is: In reality, yes, the owner of the damaged property could force you to pay for the repair, but also, you could force the plumber to reimburse you for that, and they in turn probably will have insurance for that sort of thing that will reimburse them in turn. Noone would be kicked out of anything, except for the plumber by the insurer if they had that happen a bit too often.
Edit - Poor analogy removed.