[garrettdc]

The moral issue isn't one of technical competence, but rather of having the integrity to perform the appropriate due diligence required of a company handling such sensitive information.

No security professional is going to argue that you can or will prevent every vulnerability from being exploited. However, when you leave a critical vulnerability open for months on end, you knowingly and unnecessarily expose yourself, and any parties associated with you (by choice or otherwise), to a level of risk that is unacceptable.

If this were a 0-day exploit, then the conversation would be different. If their exec's hadn't sold off so much stock a such a suspect moment, then the conversation would be different. If the IT department had appropriately began remediating the vulnerability within a respectable timeframe but had already been exploited, then the conversation would be different.