Only thing I'd change about your statement is the following:
The people who should be punished are the people running the companies they hack (lots) and the people providing security and operating systems to those people (a bit).
In my experience the people providing security do the best they can with the resources the customer is willing to expend. Properly configuring the firewall. Writing safer code. Implementing monitoring and checks and balances type systems requires man hours and money. Most companies don't want real security. They want security theatre.
Even in industry standard security courses the first thing they teach is you are not aiming for 100% security. You're going for the best the company "can afford". Unfortunately that often means the best the company "is willing to pay for" and that often times isn't based on being safe. It's based on paying just enough in security to significantly lower the estimated cost of litigation when your systems are breached. "No no your honor, we did our due diligence, just look at how many firewalls we have! (-ommitted- still running on the factory defualt settings)".
Until that attitude changes, expect much more of the same. Punishing the guys that installed/implemented the system on budget will not solve the problem.