I'd wager it wasn't the security team that dropped the ball. I work in the same role (I'm the most senior member of the security team), and I can tell you first hand that I don't have the authorization to act in matters of that scope independent of the executive team in situations like those. I have to forward my recommendations up the chain and get approval.
That causes delays. Often times, things then get lost in the executive level. Whenever there are contractors involved it's even worse as they spend a week or so arguing over whose responsibility it is, who is going to pay for it, how much down time it's going to represent, how much money they're going to lose, etc,etc, etc. Executives are also really bad at judging risk when it comes to security. They'll expose themselves and their companies to staggering amounts of risk - if for no other reason - than the fact that the failure/security breach/what-have-you isn't impacting business "right now" but shutting down an ecommerce system to patch it will impact the bottom line *right now* and they would rather risk "maybe" losing money at some future date than know they're losing money "right now".
Executives will mortgage their companies futures at every possible opportunity for a few extra dollars today.
The number of times I've taken a GLARING security issue up only to have the "how long can we leave it before it impacts business" be their main concern. If it's a vulnerability on a production, WAN facing system - but we don't have evidence of it being actively exploited - it's not considered to be as critical as taking that system offline for an hour to patch/test it. The certainty of lost revenue in that hour is more meaningful than the potential of abuse at a later date. Worst part of it all is that when that later date does come around and things get really bad, they all point their collective fingers at the security team and none of them take any responsibility whatsoever.
You're damned if you do, damned if you don't and blamed all the way around.
Corporate InfoSec is a very, very frustrating occupation. I feel for those poor guys at Target.