"the storage bucket [..] was left facing the public internet with no security protections"
Well then, it seems to me that the problem is not actually Magecart.
You can hardly complain about being robbed when you leave the front door wide open. Of course, this problem exists because everything Internet is made to be as simple as possible. Create your web site in one click ! The goal is get people to subscribe, not to ensure they do so securely. And people are not security-minded, not to mention that many, if not most, have no idea what they are supposed to pay attention to.
It should be easy to prevent any web site from going live as long as the passwords are still default, but hey, that would be bothering the customer and we can't have that, now can we ?
So we have Magecart instead.