Frankly what is necessary here is a version of medical malpractice for the IT industry. If you do something which is far outside what is considered industry best practice and it results in a penetration which harms users, you should be criminally liable in severe cases with strong punishments. People from these companies should also be black balled out of the industry.