Management is not responsible for their decisions...
If indeed it is true that the failure of "a single person" lead to the issue, the obvious conclusion is that it was *management* failed to implement proper controls. Leaving the monitoring of the "news about critical vulnerabilities" to a single person would seem to point to management, not this person.
I wonder what would happen if this "single person" were to be forced to appear before the House Committee. Chances are that we'll hear a) he's overworked, b) he lacks authority, and c) there were ample warnings but the company tends to downplay or ignore those.
Remember when [a very large bank in the US] got hacked? As a customer, I was concerned. Yet, when I contacted them (multiple times) that Qualys rated them as "F" on their main web site this fell on deaf ears. I even went to a branch and talked to the branch manager. Mentioned PCI-DSS. Turns out she'd never even heard of that, not did she share my concerns. I closed my account on the spot.
Similar story with [one of the largest ISPs in the US]. Eventually I did speak to an IT-engineer who was in fact in the know. He let slip "we know, but there's nothing we can do about it because management doesn't listen to us".
Couple of years ago I had to cover for a co-worker who was on vacation and configure a web interface for an application from a large European vendor. Since it processed credit cards I figured it ought to be PCI-DSS compliant. One quick look told me it wasn't - first giveaway was that the vendor name appeared in all (public-facing) URLs. Second was that it was installed (per their instructions) in the default locations.
Did a quick test and discovered that the error log was a text file in the root of the web site... Every error was written there - even credit card failures (e.g. address verification errors). And, you guessed it, *all* the transaction details were there: name, address, card number, expiration, CVV2, etc.
Now came the fun part of alerting the vendor. And, you guessed it, I got the expected, "Oh no, we are in fact PCI-DA certified". And, you guessed it again, they alerted my executive management to complain that I was a roadblock...
Fortunately our security officer stood his ground and blocked the project from going forward, but I'm afraid that these situations are commonplace.
This will not improve unless:
1) Legislation is enacted to hold executives personally responsible for willful failure (or ignorance).
2) A clearinghouse is set up where consumers and security experts can report vulnerabilities. Reports would have to become public automatically a set time after a patch is available.
3) Companies are mandated to create processes so employees and customers can report security issues. Again, with full disclosure after x days.
4) Fines for failing to properly protect PII.
All without exceptions for small companies, non-profits, government agencies, and the like.
Biting the hand that feeds IT
