What if the CSO informed engineering teams, got stonewalled, and, a few weeks later, escalated through the company's risk process (Panera is public, or was before it was bought by a public company, and will have a risk process). What do people here think a CSO does? If your mental model is: "decree that something is safe to deploy publicly, or else forbid its deployment", your model is broken. Most CSOs have an advisory role in the organization, and the real institutional power comes either from engineering or from the CIO.
This security director handled Dylan's bug report badly and deserves the reputation hit he's getting. But if we're going to suggest liability (let alone criminal liability) for security flaws, we should at least have some idea of what it is we're regulating.
If we were running under the liability model the CSO's final option would be to resign which sucks. But he is basically in the same situation that any employee is who is being forced to do something that is clearly illegal. But, I guess that is a good argument for why liability might not work because you end up not having a security team or you put good people into legal dilemmas that they shouldn't have to deal with.
This security director handled Dylan's bug report badly and deserves the reputation hit he's getting. But if we're going to suggest liability (let alone criminal liability) for security flaws, we should at least have some idea of what it is we're regulating.