I'll bite. Why is it the fault of the organization that gets broken into, rather than the fault of the attackers breaking into it? Even if the defender takes every reasonable defensive measure, they could still get pwned from some zero day that they had no defense against. Should they be fined into oblivion for something like that?