Right. I think the reasonable complaint in these cases is that the damages should cover the cost of investigation that resulted directly from the breach, not the cost of fixing the original security vulnerability and/or auditing the entire system.
If you break into a bank, then the bank is right to ask for damages of amount stolen + amount necessary to sweep their building for any backdoors you might've added and repair any damage. That's fair. They shouldn't be suing for the cost of an upgrade to their security system or a new training course for their security officers.
If you break into a bank, then the bank is right to ask for damages of amount stolen + amount necessary to sweep their building for any backdoors you might've added and repair any damage. That's fair. They shouldn't be suing for the cost of an upgrade to their security system or a new training course for their security officers.