And that's the problem in the industry. Unless you close up shop, a breech doesn't really impact your business that much. Linode, for example, had several security incidents where they did not tell their customers in any reasonable time, or in some cases, lied to their customers until they were forced to tell the truth. After one such incident where card numbers were reportedly stolen (but Linode said they weren't), I closed my account, cancelled the card I was using, and moved to DigitalOcean. And whenever I mention this, I get a hundred people saying "Linode is awesome and all of that was in the past!". I don't care. They screwed me over multiple times, were dishonest with me as a paying customer, and proved to me they can not be trusted. Sorry Sony. You get breached once, I might forgive you. You get breached twice, you're doing something wrong. You get breached again and again, you no longer exist in my mind.
Security is not a game, and it's not an afterthought. But some days it seems I am the only person who feels that way. I still don't shop at Target or Home Depot. They need to feel the impact of their business decisions, instead of putting the cost of security onto their customers or the customer's bank.
Just as another datapoint, I used to keep a couple of virtual machines at Linode.
After seeing how they acted after their security breaches, I left for DigitalOcean. I've also recommended DO over Linode to other people for that reason.
I should note it wasn't the fact they had a security incident, that happens. It was the way they 'communicated' it.
Not doing authentication on some things isn't a "oh shit" moment, it's a "we're doing all of this very wrong" moment.