I think we agree. By doing your best to implement security measures (hire cybersecurity consultants, install the software they recommend, etc.) you are still exposed to risk, just significantly diminished since generally hackers would go after easier targets.
At issue is that many firms do not implement these security measures at all. The Sony people were repeatedly warned and had earlier breeches but didn't want to spend the money it took to follow measures recommended to them until after the attack. I think their mindset is not so unique and that many firms aren't doing what they can to try to eliminate the breeches. In some cases, the issues are internal, but in others customer lists are breeched, etc. or credit cards hacked as in Target, Lowe's, and others.
At issue is that many firms do not implement these security measures at all. The Sony people were repeatedly warned and had earlier breeches but didn't want to spend the money it took to follow measures recommended to them until after the attack. I think their mindset is not so unique and that many firms aren't doing what they can to try to eliminate the breeches. In some cases, the issues are internal, but in others customer lists are breeched, etc. or credit cards hacked as in Target, Lowe's, and others.