Ignoring the strawman of an assailant deserving compassion or not, that’s a self serving and narrow definition of negligence. Any mechanism to protect from misuse has to weighed against the magnitude harm of the event occurring and the possibility of misuse. I would not expect my asset manager to have weak authentication systems to access my portfolio but don’t expect any at all from a free online game. I expect both of these to consider the threats and make reasonable choices. And they would be negligent if they did not do this exercise. Whether is an active threat or a passive act of god.