I don't agree with your metaphor; Sony aren't simply walking down the street, they are responsible for the security of more than their own network (in the metaphor, their own life) - they are responsible for the data and identity of all the customers they keep on file.
So it's more like a bus-driver, driving a bus down a road.
Now a SQL injection is only possible if the coder who wrote the Sony server software was an incompetent moron AND no proper code review has been done. Securing your inputs is not at all hard. If I can do it, so can Sony.
In the metaphor, this is equivalent to the bus company neglecting to have the bus repaired/maintained regularly. The result is that the bus is held together by one bolt. Now the person that undoes that bolt is a criminal, yes. But the bus company sure aren't free of blame by a long shot.