While I agree that the company should receive a large share of the blame, we should examine why they place so little value on increased security.
Security is a tradeoff, it costs money. In this case the improved security would obviously have been worth the extra developer time required to fix the vulnerability. Many other cases aren't quite so clear and the limited incentives for companies to improve the security of their products are readily apparent. More on this is available at OT: Software & Liability.