[larrys]

"So when an attacker gets access through some really trivial method that they really should be protected against, that's their fault"

A good point but keep in mind that courts don't have the level of expertise to judge what in terms of security is trivial and what is not.

The person trying the case and/or the jury may very well be someone who uses "football" as a password.

Also there are multiple cases of the very best companies with supposedly the highest levels of security getting hacked on a regular basis (might be a small percentage but it always makes the news). Consequently any company defending could make an argument that "this stuff happens even with the best and brightest" and it might be believed. (Well anyway that's what I would argue if I was a lawyer..)

So the public could easily be convinced in the case of a technology company something that would never fly as far as a screwup at the self storage - something physical that they can relate to (like leaving a door unlocked which is easy to understand).