Like most failures, the analysis needs to identify a chain of events involving various failures; perhaps it would go something like this:
1. Industry and libraries commonly use strings for path/URI manipulation.
2. A software engineer did so in the installer and made a typo.
3. Code review did not identify the problem.
4. QA (and the CI process) didn't test on a Mac that was either old enough not to have SIP or had SIP disabled.
5. Many Mac users, especially in specialized environments running custom or specialized kernel extensions and drivers, use macOS with SIP disabled.
6. Chrome is widespread enough that some users in (5) downloaded the update. That subset had their Mac systems hosed.
I would identify (2), (3), and (4) as problems in the chain where Google carries blame.
Like most failures, the analysis needs to identify a chain of events involving various failures; perhaps it would go something like this:
1. Industry and libraries commonly use strings for path/URI manipulation.
2. A software engineer did so in the installer and made a typo.
3. Code review did not identify the problem.
4. QA (and the CI process) didn't test on a Mac that was either old enough not to have SIP or had SIP disabled.
5. Many Mac users, especially in specialized environments running custom or specialized kernel extensions and drivers, use macOS with SIP disabled.
6. Chrome is widespread enough that some users in (5) downloaded the update. That subset had their Mac systems hosed.
I would identify (2), (3), and (4) as problems in the chain where Google carries blame.