On one level it's surprising we aren't seeing the argument that "Hacking is a norm of everyday Corporate life" more often. It is indeed a truth. The problem is that you are still culpable. Perhaps most importantly the level of "eyebrow raise" that this response will get depends, at least to a certain extent, on the type of data you hold. When your company has a vast amount of biometric data people's eyebrows will be heading for their hairline, and your facial recognition software won't like that.   

From this account of the breach it wasn't the biometric data that was accessed, rather it was their client list. However given the nature of some of their clients I doubt if they will be too please about this either. In the end the cost of a breach and the pre-emptive cost of higher levels of cybersecuritywill always be easier to see in hindsight. But if you hold lots of sensitive data perhaps some foresight is possible.