Well, there is a business balance to look at - risk mitigation vs cost. However, if you are in a business where you take reputational risk seriously, you have to take security seriously. This means going through the whole gamut of access management, strict password management, audits and pen tests, user education, as well as the traditional hardware and software based security tools. Are these perfect? Hell no! But, often times having a serious security posture makes the difficulty of attack higher and at least in the days before "state-sponsored hacking", it was enough to keep script kiddies and lone wolves away. Today, with hackers having greater resources behind them, we are seeing the online repetition of the first Iraq War where the powerful and mobile coalition forces overwhelmed the fixed, inferior Iraqi forces.
What Yahoo! apparently did was to de-emphasize security more that they should have. As a Yahoo! customer, I have taken measures to move all relevant connections away from them and will end participation in other services as many peers have done. If indeed the corporate decision (Marissa) was to not take the logical steps to shore up security in order to prevent more subscriber losses, then she was definitely not the right person for this position. A successful CEO cannot have a short-term mentality. Also, they should have a good sounding board (and an effective governing board) to review and counsel. There are many people to share the blame at Yahoo!, and if Verizon doesn't restructure their deal then their board needs to be looked at skeptically as well.