"To me that reads like a lot of today's thinking - let's blame someone else."
Yes, that's what I meant by "blame game". People do it all the time. One of the people doing it, right now, is you. You're going to find one person who did one thing wrong and put the blame on them: "track down the person whose password allowed the initial access and fire them". I'm guessing that you work in IT, so you're nicely exempting your profession from it by finding someone else and deciding that they're responsible. In my example, I gave you lots of single people we could put the blame on.
IT person: You could have had monitoring and more security, you didn't, so it's all your fault.
Management: You could have told the IT person to have monitoring and more security measures, you didn't, it's all your fault.
Finance: You could have increased budgets for security, you didn't, it's all your fault.
Senior management: You could have approved more leeway for IT security measures, you didn't, it's all your fault.
In reality, it is at least partially the fault of all five of those people, and possibly even more. Each person probably could have done something differently. Accurately estimating the correct amount of blame would involve trying to evaluate exactly where each person failed, but it doesn't really help much. If you're going to have blame-related consequences, doing that is the fairest way. If you're willing to fire the person who initially clicked on something they shouldn't have, imagine for a moment someone barging into your office, deciding that you should have done something differently, and announcing that you're the one to be fired. You probably could have done something, after all.