People expect security measures to be correlated to
potential damage. Articles are focusing on Apple because
they exhibited the largest gap between expected and actual
security measures.
Using nearly-public information, the attacker was able to
convince a human to grant access to the victim's account,
and therefore to destroy the victim's data.
If the compromise of an iCloud account had merely given the
attacker access to the @me.com address, I don't think Apple
would be receiving nearly as much bad press. Email accounts
are compromised all the time, usually with no more damage
than some spam mail sent to friends.
Similarly, if the attacker had gained remote-wipe ability by
some elaborate deception, customers would be more willing to
cut Apple a break. Suppose Apple accepted passports as a
recovery mechanism, and the attacker showed up to an Apple
store in person with a forged US passport. That would sell a
lot of newspapers, sure, but Apple would be blameless.
Using nearly-public information, the attacker was able to convince a human to grant access to the victim's account, and therefore to destroy the victim's data.
If the compromise of an iCloud account had merely given the attacker access to the @me.com address, I don't think Apple would be receiving nearly as much bad press. Email accounts are compromised all the time, usually with no more damage than some spam mail sent to friends.
Similarly, if the attacker had gained remote-wipe ability by some elaborate deception, customers would be more willing to cut Apple a break. Suppose Apple accepted passports as a recovery mechanism, and the attacker showed up to an Apple store in person with a forged US passport. That would sell a lot of newspapers, sure, but Apple would be blameless.