1..A popular site like a hotel chain (Marriott case) has more potential attacks than a web site for a furniture next door.

2..It takes just an old and not updated Apache Server for a hacker to hack in. Imagine an organization having hundreds or thousands of individual servers of different versions running end of service software. It is just a matter of time.

3..Marketing Dept. wants a product to go public as fast as possible. (It’s not their fault, competitors are out there waiting for a chance to increase market share). So there is no plenty of time for testings.

4..As a developer myself I was never taught that a memory overflow could crash my application and give full credentials to the user. We were never instructed to be aware that someone might try to “cheat” our software and try to find a security hole.

5..Developing tools still do not have the methods to advice the developer about potential risks. We are still far from a secure environment.

6..When a company bribes a hacker $100K to keep silent and not exposing hackers data. Isn’t that a good incentive for a poor kid ?

Uber Paid Hackers $100,000 For Silence On Cyberattack That Exposed 57 Million People’s Data

7..I remember MySQL during earlier versions was shipped with empty root password. They were expecting the administrator to change it. They thought it was too obvious not to allow a system without a password or with the default one. You know the rest. There were thousands of online MySQL databases with empty root password. I hacked one myself by mistake :
Synergy USA Llc’s answer to Why do big organisations keep getting hacked and having their data leaked? What does it achieve?