While I agree that many, if not most, companies should have a greater focus on security, I think the following facts should be considered:
1) Bulletproof security is, in fact, difficult. Retrofitting security to systems or environments which weren't designed for maximum security is even more difficult.
2) Finding qualified staff and/or consultants to build a secure environment is both difficult and expensive. Good security people are in high demand, the more so because of the current elevated threat environment.
3) The current threat environment is unprecedented. Most companies were able to live with relatively lax security for a long time because the perceived consequences were not as severe as now. Companies and people are still adjusting to the new reality.
A lot of entities have been caught wrong-footed by the sudden spate of ransomware and don't immediately have the resources or the expertise to address the need for a more rigorous defensive posture. Dog-piling on the victims hardly seems warranted.