Or, you know, it's just hard to secure things.
I'm not saying they couldn't do a better job, but there are a lot of competing requirements. For example, for medical information, how far do you lock it down? If there is someone crashing in a hospital, you have to be able to pull up their information - or they might die. For credit cards, not only are there a ton of retailers that have to access them, but they also have to handle companies with shared cards, different state and federal regulators, and a ton of different banks that have to be able to create, issue, and revoke $CREDIT_CARD_BRAND.
Oh, and let's not forget that there is a LOT of money available for that kind of information, so disgruntled employees are also a danger. Or even happy employees, that just want $METRIC_FRACK_TONS of money.
So, sure - they could probably do better; but it is not a simple problem.