Too early to judge
It's quite possible that their IT people tried and tried and tried to get Sony's upper management to invest in proper security, but their business case analyses were rejected and they were told to go away. I've seen it happen before. IT security is always seen as a burdensome cost and when you attempt to justify the cost by modeling the impact of a serious hack people think you are being alarmist.
As I've said before on El Reg, faced with using $100m to fix your security and get (ostensibly) $0 or the same $100m to spend on a new movie and get $1bn back, I know which one Sony Pictures board would go for. And it's financially sound to do so (from the point of view of maxing shareholder value). As IT pros, we need to change the calculation so that that "$100m for $0" becomes "$100m now, or $1bn later when the lawyers rip us to shreds"