There is also the fact that this isn't Sony's first time on this ride. Shouldn't they have doubled-down on security after PSN got hacked?
You're supposing that "Sony" is a single massive thing -- it's not. It's a conglomerate with many separate units that share relatively little other than a name and some discounts at the Sony Store.
Proof: The hackers have done nothing outside of Sony Pictures. If there'd been interoperability in the layer that they got into, we'd be seeing data from other "Sony"s out there as well.
SOE/SMSS/SNEI learned a lot after what happened in 2011. But a movie studio that deals mainly with corporate accounting to pay actors and production companies, and the occasional internal creative discussion, has a far different calculus to make on what to secure how than an Online Game company, or the one handling end-user billing (read: PCI) data for a storefront (PSN).
You're going to see a giant top down review come out of this, of course, but implementation will probably still be handled by individual corporate units to some extent.
Sony wasn't attacked because they were vulnerable or had particularly lax security, they were attacked for political reasons by a foreign power. I guarantee you that if Viacom has been producing The Interview they would have had a similar attack against them and would probably have fared little better.