Here on HN we often say "security through obscurity is no security." Relying on the fact that it is "illegal" for someone to hack your system to prevent them from doing so is similarly flawed logic.
That path has dangers all around (though, financial regulations try somewhat, don't they?) but it's a different discussion than victim blaming.
This is a company charged with processing financial information that apparently didnt sufficiently protect the data.