if the IT contractor got the systems hacked through neligence, that's their fault; and if they secured the systems; but a hack was still pulled off, that's where the insurance policy comes in.
The IT contractor can't stay on-site 24/7 and monitor all the employees. The biggest security problems come from inside the organization; from idiots writing down their passwords to double-clicking on every single attachment that they get, users will never stop creating new and interesting ways to be complete fucking idiots.
If I'm an IT consultant and suddenly have to take on the responsibility for all security breaches, I'm going to find another line of work. I'd spend all my time defending lawsuits from my clients who had a security breach due to nothing that I've done (or didn't do), but instead due to some moron ignoring the written AUP that I left with the client. Since as an IT consultant everything that happens on that network is my fault, I get either dragged into court by my client or my insurer refuses to pay and drops me, leaving me holding the bag for something that wasn't my fault. By the time I get done proving that what happened was not my responsibility, I've spent so much time getting the legal system to understand what happened and why it wasn't my fault that I haven't been able to create billable work for my other clients (if I have any after one of my clients gets broken into).
The only way to avoid that would be to have a voluminous contract that covered as many "if your worker does X I'm not responsible" cases as could be described, and to have a network so locked down that people would barely be able to log into their computers. No client is going to put up with that, despite the fact that that's what they desperately need: to be protected from themselves. (And no client is going to sign that contract, because then it looks like you're trying to avoid responsibility for your work.) Plus you have the problem of your client refusing to implement a security precaution they desperately need because they refuse to change any of their processes, since "we've always done it that way". (Case in point: I used to work somewhere where we were storing complete CC information, including CVV codes, which is a BIG TIME PCI no-no. I put a stop to the CVV storage, but our back-office accounting system would not accept anything other than a complete CC number and expiration date for reconciliation later. I pointed out that we had no compelling business case to store that information, and got back "we've always done it this way". They refused to believe that we could have avoided storage and handled back-orders and refunds through tokenization supported by most major credit card vendors. So then they had a breach that cost them $200,000. They didn't change any of their processes.)
No, the clients are the ones who need to be held responsible for data breaches. Make them expensive enough and they'll start paying attention, hopefully. Make them prove that they followed all the best practices required by the insurer AND all instructions given by the consultant, or don't pay. Only when companies start going out of business because their security was shit will people finally wake up. (Maybe the CEO goes to jail, too. A man can dream...)