If a company cuts corners on security, then in the same way that if I leave my door unlocked and get burgled, I can't make a claim.
I agree with the second portion of your comment. It's an entirely different matter when it's personal property verses protected information. There is or should be a certain level of security afforded to one's private property regardless of the level of security maintained. Meaning I don't care if the door is wide open it's still wrong to have someone come in and take what isn't theirs. I know that my home-owner's and auto policies have zero stipulations on eh security levels that must be maintained. Where as there is a documented level of security that needs to be in place for the protected information. Look at HIPPA, PCI, SOX, etc. requirements. I think if you don't meet those standards it should be a criminal as well as a civil offence to allow the non-compliance. From a an admin's perspective you better have documented proof of your recommendations and when/why they were shot down or you are just as guilty as the PHB.