I'm certainly not trying to defend them. I'm just saying that a serious commitment to security doesn't preclude breaches any more than a serious commitment to quality precludes recalls. You only need to screw a minute detail up to get in trouble, and so far no distinction has been made between companies that have actually been incompetent/irresponsible and others.
How about instead of just saying "We take security seriously," disclose some evidence. What specific things do we normally do to keep customer data secure and prepare for attacks? How did that preparation fail this time? What was this particular attack vector? What exactly was compromised, and when? What specific, verifiable steps are we taking to make the victims (customers) whole? What specific, verifiable corrective action are we taking in order to prevent this kind and other kinds of breaches going forward?
Just saying "We take security seriously" is like saying (to quote Chris Rock) "I take CARE of my kids!" What do you want, a cookie? That's what you're supposed to do.
