From the responses I received, it's clear that I inadvertently wrote some flamebait.
I certainly don't advocate criminal charges for designers of insecure systems, as you might see for a civil engineer. I was trying to suggest that the core of the problem - insecure systems - is lost in the he-said-she-said of hackers vs douchebag-beureaucrats.
Your argument about "no such thing as a secure system" applies just as well to life-safety engineering. Rare, unforeseen events can have huge consequences. You build a bridge to code, and then one day you get wind-gusts at the exact right resonant frequency, and the bridge collapses.
No one gets blamed, but the cause is reviewed and the codes are updated and the next guy who forgets them gets in trouble.
There are a number of well-known attacks for which there is no longer any excuse. SQL injection is one of those. Now, software tends to be more complex than civil engineering, so I don't expect perfection from systems. But I do expect web-connected software to be written as if it's being attacked all the time (it is), and for security holes to be taken as seriously as that warrants.
Other responses have suggested that a civil engineer wouldn't be held accountable if their building collapsed due to sabotage. I argue that they certainly would if all public buildings were being sabotaged all the time, and their particular building collapsed from a molotov cocktail.
==
As an aside, I also take some exception to the claim that there "is no such thing as a secure system". When we see security failures like this one, it's not through social engineering or physical access. It's through a standard HTTP(s) request. It is possible design a secure system given that assumption.
Yes, router or server security issues can open security holes. And for non-trivial software, it's effectively impossible to prove that a system is secure. But provable or not, there are plenty of systems on the web that can be used exactly as permitted, while not exposing a single security flaw when accessed over HTTP(s). Secure.