All companies get breached; not all of them get breached via vulnerabilities that were known and patchable for two months prior to the breach being detected. Further, not all companies handle such large amounts of sensitive information. Equifax's IT staff should have known better, as a whole. I have seen it argued elsewhere on the internet that their CSO, who only had a degree in music, should not be blamed for the breach; I have also seen statements claiming that cross-field collaboration is important, and that many innovations have come from people working outside of their main field of study or from uneducated backgrounds. Neither of these statements excuses what happened. Further, I would argue that if the Equifax CSO were innovating in her field by bringing some sort of new insight to security, we would not be talking about aa breach.
A "two-wrongs make a right" argument is hardly one that obtains here. First, the truth of that statement is irrelevant: Most hacked companies find themselves in that situation, as was the case here, through poor practices.
Second, this is Equifax. A company that includes in its product portfolio monitoring tools for those unfortunate enough to have their information compromised. Explicit in this is an acknowledgement of the seriousness and need to keep such information very well protected.
Saying "all companies get hacked" is akin to a lock company having its offices get broken into and master keys stolen and duplicated for all of its locks. And not through creative picking but simple lock bumping of insecure locks. And then saying, "well all businesses get robbed sometimes".
If such a hypothetical company were very, very lucky, they might still exist a year on from the the breakin.
