The odds of a system being replaced once a significant amount of money is lost will be quite high - after all, the costs are pushed onto the customer, aren't they?
Besides, according to the Terms & Conditions (http://www.tfl.gov.uk/termsandconditions/901.aspx) of the Oyster card, particularly the bit about "Lost or stolen Oyster card", simply reporting that your card is stolen (without you knowing the ID of the card, eh?) allows them to update the system and disable use of the card.
Does this mean there is a database that allows tracking of the card's usage? What is to keep them from implementing this (if not already) to confirm "amount on the card", etc? What is to say that it doesn't just read off the ID to confirm against the database of accounts and not even use the data on the card?
If there is no database that they are checking against IRT, then the costs would be in setting up communications and access. That in itself may not be a small amount and could extend the lifetime of any nefarious projects.
Anyone looking to make some extra dosh would have to get these questions answered first before selling "services" to the masses...
[ Yay! I got to use "nefarious" in a post, too!]