Let's put all of the strawmen arguments aside. What we are talking about is a situation where there is an advised duty of care, with something that is valuable to us to be kept secret. The provision of our information. This is more analogous to a bank. There is an implied expectation of security when we put money into its security box, that only we can access it.
Imagine if you had the expectation of your secure documents being in a bank vault, with limited access, multiple keys, so that bank employees can't just access your goods etc is in place. Instead, you have a set of shoe boxes, stored in a garden shed with a screen door flapping in the breeze.
If a bank heist happens, and your documents are stolen, and the bank has done everything that they can do, then the breach should not be punished, if, however, a second heist occurs, and the bank has fallen for the same trap again, you would think that the bank should be held accountable, no?