The situation is not remotely like the scenario you are concerned about. We (the e-commerce industry collectively) have a history of making many of the same basic security mistakes repeatedly, even though both the mistakes and the ways to avoid them are well-documented (SQL injection is a classic example, as is the use of easily-guessable secrets.) In my opinion (the source of which is me) the industry should be held accountable for its complacency and, yes, lapses in competence. Of course, being criticized by me in an HN comment is hardly being held accountable.