The blame would rest on the admin who set the permissions. You can't blame a lock for not being locked, but you can blame the night watchman for not locking it. This doesn't remove blame from the intruder though.
A webserver that doesn't restrict access (not even obfuscating the URL) is more similar to a "Free reading material!" shelf at the bookstore. If you go and take one of everything, it's not your fault if the bookstore mistakenly put things there that they'd intended not to be freely available.