I'm not disagreeing with your overall point but this reads a bit like victim blaming. "Those sexy trains were manned so skimpily, and going down those long routes all alone at night, they were just asking for it!"
Certainly, because it is. I don't think it's wrong to view companies responsibilities as being different from those of an individual.
For example, if a company chooses to ignore a RCE vulnerability in their software for years, are they to blame when that vulnerability is exploited? I'd say absolutely they are.
At the same time, banks and other business take responsibility and pay for armored cars to do pick-ups. They don't just wing it and hope for the best.
One question though, what are the laws like surrounding security for trains in the US? In Canada, security employed by rail companies actually have actually been granted all the powers of a police officer by the government.
The cost of the losses are likely less than the cost of increased security. If it was more profitable to use “armoured cars” they would be doing it. No company willingly chooses the less profitable option.
1. we do expect people to take preventative measures. I think this is more like someone being blamed for a burglary because they left their house unlocked. I have had car insurance policies that excluded theft resulting from leaving the key in the car.
For example, if a company chooses to ignore a RCE vulnerability in their software for years, are they to blame when that vulnerability is exploited? I'd say absolutely they are.