I'd say this is more akin to stashing a bunch of money in a self-storage unit instead of a bank account. One explicitly insures against theft, the other does not. The onus is on you as a customer to decide what to go with.
> One explicitly insures against theft, the other does not.
I'd take issue with that summary. If I put things in a self-storage unit, and it gets robbed because some employee left his master key under the door mat, regardless of how bad of an idea it was to store my money there, that's still their issue.
Think about it this way. I could store my money under a table at McDonald's, in a self-storage unit, or in a bank. Clearly the self-storage unit should provide me some more security than McDonald's. So when an attacker gets access through some really trivial method that they really should be protected against, that's their fault; it doesn't matter that there was a better security option, because it's still below what I was paying for.
"So when an attacker gets access through some really trivial method that they really should be protected against, that's their fault"
A good point but keep in mind that courts don't have the level of expertise to judge what in terms of security is trivial and what is not.
The person trying the case and/or the jury may very well be someone who uses "football" as a password.
Also there are multiple cases of the very best companies with supposedly the highest levels of security getting hacked on a regular basis (might be a small percentage but it always makes the news). Consequently any company defending could make an argument that "this stuff happens even with the best and brightest" and it might be believed. (Well anyway that's what I would argue if I was a lawyer..)
So the public could easily be convinced in the case of a technology company something that would never fly as far as a screwup at the self storage - something physical that they can relate to (like leaving a door unlocked which is easy to understand).
