What's it worth?
Oyster is an example of cash-on-a-card. In theory, you could make it a debit card, contacting a central database - your bank account - for every single transaction. In practice this is simply too slow for a system designed for millions of frequent small payments, especially if those payments have to be made very quickly - which, for a mass transit system, is vital.
The process that you're missing is the overnight reconciliation, which matches up the daily payments on the card to the purchases and top-ups. Faking a top-up involves subverting the central server; a much tougher proposition than fiddling with a card. This places an upper bound on the amount that can be stolen, as there is a time limit on the card's usability.
Ticket collectors (we still use the term!) have Oyster card readers that check the card's self-contained cash balance and/or validity for particular services. They don't validate the card against the overnight run - not at present - but I am certain that this will now change. So a fiddled card will soon be at risk from spot checks, too.
The next point to note is that we're talking small sums of money; it isn't - or shouldn't - be worth man-days of a software engineer's time to get a day's free travel. However, Londoners spend several thousand pounds a year on transport, and there are a lot of very bright teenagers out there who would do it for free.
Elsewhere, other cities are looking at Oyster cards issued by their Mass Transit Authority for small purchases - the typical commuter's newspaper and coffee from the kiosk on the station. I think this latest security lapse may be a setback.
The question is now a matter of cost vs risk and benefit: if the hack goes mass-market, will it be worth doing on a large scale? And is the system flexible enough for *regularl* revisions and upgrades to the security schema?
Finally, I have to point out that it isn't just the money or teenage wannabe-hacker kudos. Oyster is a significant surveillance resource, and the ability to temporariy clone someone else's ID is an effective way of deflecting unwelcome attention from your movements. If it becomes impossible to purchase a one-day oystercard without being photographed, even the most law-abiding citizen might, from time to time, look upon the ability to travel anonymously as being worth far more than the price of the train fare and a coffee.