The site being down for months is just the effect of this breach, it doesn't mean that the company made the wrong risk assessment by choosing to write their own software in the first place.
If I buy a car and I happen to crash it on the first day I drove it home, that doesn't mean I made the wrong choice to buy the car that day. I still bought the car based on the best information I had at the time.
M&S basically lost a lottery ticket type of bad luck scenario where they are dealing with a breach that is far, far worse than a typical data breach's impact.
Remember when the PlayStation Network was down for over a month due to a very serious breach? That breach didn't prove that PlayStation should have used some kind of external provider for its online services. In fact, an external provider for that sort o thing is not even practical for their business.
Remember, there's an alternate timeline where Shopify itself could be breached in a similarly severe way and also go down for 3 months. It's very unlikely but it's possible. If it can happen to M&S it could happen to Shopify.
If I buy a car and I happen to crash it on the first day I drove it home, that doesn't mean I made the wrong choice to buy the car that day. I still bought the car based on the best information I had at the time.
M&S basically lost a lottery ticket type of bad luck scenario where they are dealing with a breach that is far, far worse than a typical data breach's impact.
Remember when the PlayStation Network was down for over a month due to a very serious breach? That breach didn't prove that PlayStation should have used some kind of external provider for its online services. In fact, an external provider for that sort o thing is not even practical for their business.
Remember, there's an alternate timeline where Shopify itself could be breached in a similarly severe way and also go down for 3 months. It's very unlikely but it's possible. If it can happen to M&S it could happen to Shopify.