If a merchant screws up and manages to post a flat ASCII text file of credit card accounts with CVV numbers on a URL in a directory with an Apache index enabled, your argument says "well, sucks for the merchant and all their customers".
Since that would be a clear and basic PCI violation, yeah, it sucks for the merchant and their customers. Why have PCI compliance at all if the merchant can just throw up their hands and blame it on "hackers?"
No, because then the collateral damage is everyone misidentified as a "hacker" because prosecutors don't know the difference between criminal actions and not because the internet is confusing to everyone who hasn't spent the last two decades staring at the underbelly. Also, prosecutors default to "criminal" because their job is to deal with criminals all day (c.f. aaronsw).
It's unreasonable for us to expect the legislature to get this right. Nothing here is criminal.
The criminal justice system deals with fraud in more complicated settings than computer hacking. For instance, it convicted ADM executives for price-fixing lysine. I don't recall anyone being up in arms at the time about how the prosecutors didn't fully understand the lysine industry.
Since that would be a clear and basic PCI violation, yeah, it sucks for the merchant and their customers. Why have PCI compliance at all if the merchant can just throw up their hands and blame it on "hackers?"