One could argue from inspection that, when it comes to security, Equifax's talent is scarcely better than random schmoes, yes.
But it's not just about preventing the hiring of "random schmoes". It's about legally formalizing responsibility and accountability, and the incentive structure that arises from that. As before, this is well-tested in other professions.
Facebook might have made difference decisions if they had special legal obligations regarding "the handling of sensitive personal information." Perhaps their engineers would have thought twice about giving unfettered access to third party APIs if they knew that a breach down the line could ruin their careers.
