While I've never been the target of a security breach, (which this isn't by the way, afaik it's a DDoS) I could easily see how the cost to fix something after it's been breached is a lot more expensive than fixing the original hole to begin with.
If you've ever worked on computers that have had a rootkit installed on them, a smart person quickly learns that at that point the system is basically to be untrusted. You really have no idea how exactly the system has been compromised other than maybe via the original attack. There could be who knows what else left over in one of the thousands to millions of binaries that your system now has after the breach was done.
So, what do you do? Well, there tend to be two options: Comb over the entire system to see what has been done and undo it, or the nuclear option of just reformatting the hard drive and reinstalling the OS and everything from scratch. Either way, both of these are much bigger time sinks than simply patching the system to begin with. Those costs go up much higher in a datacenter where multiple different systems have been compromised.
That's also ignoring the fact that if you were a responsible company, you'd offer identity protection services to your customers if their data has been compromised (many companies do this; when monoprice was breached they did this.) That isn't free. And they'll probably never get whoever breached the system to ever fully pay for it anyways (blood from a rock,) but its an expense they have to deal with anyways.
An analogy to this, by the way, is leaving your door unlocked during the day while you're home, and some random smartass just walks inside and shits on your couch, and in civil court some judge tells you that he awards you no damages because you should have kept your door locked.