> Only after, if it's clear I ignored obviously correct advice, should there be malpractice penalties.

In most of these cases, the companies involved did NOT follow standard security practices.

I am pretty sure that is what people mean when they say "held responsible", they mean "held responsible for failing to follow standard security practices", not for the actual act of getting hacked.