Re: The $64K question...
"Who is - or should be - responsible for identifying potential flaws, checking if they exist, and ensuring they get fixed if they do?"
Well, companies have to turn a profit on limited resources, so do what is required to avoid scandal or breaking the law. Anything else is a bonus.
It's not the government's job to oversee private business, shoulder some of their running costs and help them make more cash, either.
There are allegedly watchdogs and ombudsmen, but they are underfunded and have no teeth or real powers of enforcement: Pretty much worthless bureaucracies.
To a degree, it's in the customer's best interests to be aware and abreast of issues and to vote with their feet if security is poor.
Ideally a free, active and informed Press is the best defence: They inform us of risk, which then spreads word and hits the industry's pockets via consumer uproar if things get too shoddy, or potentially triggers government or police action if laws are broken or need amending. They perform quality investigative reporting to find such stories and report them in a useful and informative way to educate all parties (state, businesses and customers).
Investigative reporting is a priceless thing in our society and a fantastic use of media. It's such a shame that it doesn't sell advertising and copies so well as click-bate sensationalist stories, trolling opinion pieces and soapy-hand-job self-affirming articles to tell us that our opinion on immigration/whatever is absolutely correct because the writer agrees with us and made some figures up to tell us so.
I mourn the scarcity of good journalism.
(The Guardian used to be well ahead of the field when it came to important investigative articles. Sadly, it's now seems happy to reap in readers by being the Extreme Liberal Opinion Click-Bait Daily. I'd comment about the Mail's decline, but it was always a bunch of extremist, hateful xenophobic bullshit, so no loss there)