Web site overdue for an update? Guilty. On my to do list for years [and probably years from now].
Krebs On Security [http://krebsonsecurity.com/2013/12/sources-target-investigating-data-breach/] says Target was informed of the breach by Visa and Master Card. Target wouldn't have caught it as soon as they did unless they were told.
Negligent? Er, uh, yup.
But banks and credit card companies don't sue vendors, their customers. If they did, they would lose customers. Thus, they eat the losses.
It's the person who just got $900 from their debit card spent fraudulently online that spends hours upon hours plugging the holes and righting the wrongs.
[See? Lousy HTML skills. Sorry.]