1. In the first hack, if anything Okta over communicated about the hack: the hack ended up being much less severe than they originally said was possible, and, from a security perspective, the hack didn't really have any negative consequences to customers.
2. Your second 2 links are about the same issue, which was a breach of their GitHub accounts. Again, it's worrisome that someone could find vulnerabilities in their source code, but no customer data was compromised.
You're free to think what you want about the severity of these hacks (I personally think they're low), but I don't see how you could have problems with "how they dealt with it each time". They seemed to have textbook correct incident response communications - what else would you suggest they had done?
Also, given the nature of the breaches, I don't think they point to severe security culture problems at the company (in contrast, for example, to the LastPass and Solarwinds breaches, which showed all the signs of clown show security culture IMO).
Identity providers are competing with passkeys now in non business/org settings, and there is only so much idp/SSO enterprise marketshare to fight over. Similar story with password managers (yes, yes, there will always be a market for folks who want to backup their passkeys to sovereign storage with a passkey manager, and that capability should exist, but your average user won’t; they’ll rely on iCloud/Google/Chrome storage, governance, and access controls for key material).
https://www.theverge.com/2022/4/20/23034360/okta-lapsus-hack...
https://techcrunch.com/2022/12/22/okta-breach-source-code-gi...
https://www.malwarebytes.com/blog/news/2023/01/okta-breached...