I think the underlying issue here is that responsibility for preventing these attacks is misplaced. In short: we need to blame the victim.
There's a popular notion to "not blame the victim" when it comes to many other crimes (e.g. rape). Because long-standing culture traditions or implicit biases can be involved, it's not almost glaringly obvious that somebody is blaming the victim. As such, it's become a kind of litmus test: you look for warning signs that some policy or statement is (even unintentionally) laying the blame on the victim. And that habit is easily transferred to new misconduct, such as hacking.
I think we need to step back and understand why we should not blame the victim for other crimes: I'd argue it is not because they're already suffering, but because the best way to prevent the problem is by focusing on (A) those we can influence and (B) those best placed to prevent the problem. Often that's not the victim - but sometimes it is. In many sex-crimes, the perpetrator is socially well-respected and in a position of power, so that's a (typically) a man that can be influenced (satisfies A), and since he's using his position of power he apparently has it; so he's well placed to prevent the problem (satisfies B).
So for example, we might prosecute people breaking into cars. But most people realize that we're not likely to catch enough thieves to really reduce theftto a minimum, so we also invest in locks, and we teach people not to leave valuables in sight. This is a form of blaming the victim - justifiably so, since I'd argue that if you left your car unlocked and/or leave valuables in sight you're not just hurting yourself, you're hurting others too: you're making theft easy, and by making it worthwhile, you may encourage thieves to try more frequently - also against other targets.
For another example, consider vaccination. Failure to vaccinate make cause the victim to become sick (or their kids to become sick). But here too, it's not just themselves they hurt; they hurt others by propagating dangerous diseases. Beyond a certain level, they'll contribute to epidemics that can hurt even the vaccinated since no vaccine is perfect.
From the perspective of preventing harm, protecting yourself from malicious hacks is more like a cross between theft prevention and vaccines, and not like preventing rape by a powerful individual. Most hacks are trivially easy to prevent (it often takes numerous bugs, mis-designs, and some social engineering to gain access) if there were systematic effort to prevent hacks, so the victim is in a place to prevent the harm from occurring. And since it takes considerable organization to run most vulnerable services in the first place, the victim is also one we can influence.
Focusing on the hackers isn't just futile, it's actively harmful in several ways. Not only is it obvious that many hackers cannot currently be found, many are beyond the reach of law enforcement by virtue of living elsewhere (or at least, acting through not-entirely cooperative countries). So it's immediately apparent that's it's never going to suffice to focus on the perpetrators (they don't satisfy A: we can't influence them). But also, by focusing on the hackers, we help keep vulnerabilities secret. Would you rather be hacked by a script kiddy or by an unscrupulous competitor or hostile country? Hiding vulnerabilities rather than fixing them means that the vast majority of hackers that can never be caught simply have more targets. Additionally, by focusing on hackers, we draw attention away from those that can bear the responsibility to prevent hacks: the victims. And that lets them get off the hook too easily. Most companies suffer rather few consequences for running infrastructure that is, in essence, a public menace. And much like theft and vaccination examples, they hurt others by remaining vulnerable. When an organization is hacked, it affects not just it, but many others. In a data leak, most harm is usually suffered by those who's data is leaked, not by the company holding the data. And when financial infrastructure is hacked then it's not just the organization running it that is harmed, but in particular those that rely on it.
In short: we need a sea-change. To really address the risks posed by hacking, we need to stop focusing on hackers, and instead blame the victim. By failing to defend themselves they are hurting themselves and others, and focusing on hackers is never going to work anyway (and indeed makes it less likely that vulnerabilities are discovered by non-malicious or mildly malicious actors rather than those really motivated and out to get you).
You're speaking to the choir here. Find a way to make your point more concise and convince the popular media and your non technical friends, and then we're on to something.
There's a popular notion to "not blame the victim" when it comes to many other crimes (e.g. rape). Because long-standing culture traditions or implicit biases can be involved, it's not almost glaringly obvious that somebody is blaming the victim. As such, it's become a kind of litmus test: you look for warning signs that some policy or statement is (even unintentionally) laying the blame on the victim. And that habit is easily transferred to new misconduct, such as hacking.
I think we need to step back and understand why we should not blame the victim for other crimes: I'd argue it is not because they're already suffering, but because the best way to prevent the problem is by focusing on (A) those we can influence and (B) those best placed to prevent the problem. Often that's not the victim - but sometimes it is. In many sex-crimes, the perpetrator is socially well-respected and in a position of power, so that's a (typically) a man that can be influenced (satisfies A), and since he's using his position of power he apparently has it; so he's well placed to prevent the problem (satisfies B).
So for example, we might prosecute people breaking into cars. But most people realize that we're not likely to catch enough thieves to really reduce theftto a minimum, so we also invest in locks, and we teach people not to leave valuables in sight. This is a form of blaming the victim - justifiably so, since I'd argue that if you left your car unlocked and/or leave valuables in sight you're not just hurting yourself, you're hurting others too: you're making theft easy, and by making it worthwhile, you may encourage thieves to try more frequently - also against other targets.
For another example, consider vaccination. Failure to vaccinate make cause the victim to become sick (or their kids to become sick). But here too, it's not just themselves they hurt; they hurt others by propagating dangerous diseases. Beyond a certain level, they'll contribute to epidemics that can hurt even the vaccinated since no vaccine is perfect.
From the perspective of preventing harm, protecting yourself from malicious hacks is more like a cross between theft prevention and vaccines, and not like preventing rape by a powerful individual. Most hacks are trivially easy to prevent (it often takes numerous bugs, mis-designs, and some social engineering to gain access) if there were systematic effort to prevent hacks, so the victim is in a place to prevent the harm from occurring. And since it takes considerable organization to run most vulnerable services in the first place, the victim is also one we can influence.
Focusing on the hackers isn't just futile, it's actively harmful in several ways. Not only is it obvious that many hackers cannot currently be found, many are beyond the reach of law enforcement by virtue of living elsewhere (or at least, acting through not-entirely cooperative countries). So it's immediately apparent that's it's never going to suffice to focus on the perpetrators (they don't satisfy A: we can't influence them). But also, by focusing on the hackers, we help keep vulnerabilities secret. Would you rather be hacked by a script kiddy or by an unscrupulous competitor or hostile country? Hiding vulnerabilities rather than fixing them means that the vast majority of hackers that can never be caught simply have more targets. Additionally, by focusing on hackers, we draw attention away from those that can bear the responsibility to prevent hacks: the victims. And that lets them get off the hook too easily. Most companies suffer rather few consequences for running infrastructure that is, in essence, a public menace. And much like theft and vaccination examples, they hurt others by remaining vulnerable. When an organization is hacked, it affects not just it, but many others. In a data leak, most harm is usually suffered by those who's data is leaked, not by the company holding the data. And when financial infrastructure is hacked then it's not just the organization running it that is harmed, but in particular those that rely on it.
In short: we need a sea-change. To really address the risks posed by hacking, we need to stop focusing on hackers, and instead blame the victim. By failing to defend themselves they are hurting themselves and others, and focusing on hackers is never going to work anyway (and indeed makes it less likely that vulnerabilities are discovered by non-malicious or mildly malicious actors rather than those really motivated and out to get you).