That's the thing...
There's a largish shop in my village growing up, selling model railway stuff. It seemed quite specialist and out of place for a small village, but it turned out they had a strong national reputation and mail-order presence.
Now, I've no idea of their current business, or technical skills or website presence, so this is not related to them specifically, but imagine a fiicticious family company like that.
Presumably they'd by now have got a web presence, where most of their sales would be made. They need a website. They are a single store, family shop, but require a relatively decent online shop - the vast majority of orders would presumably come that way.
Now, they know nothing about the internet, but do know enough about the business to know that they need something more professional than grand-son Johnny to code it, so they search for a company to do the job, and then... the same thing as in this article happens to them.
Should they have known to use a third party transaction site? Should they have known to audit password storage methods?
They hired specialists. As John says, specialists all the way down?
By the way, I'm not writing this as a "gotcha". Presumably they have some sort of protection, but if a dodgy builder caused my house to fall down, presumably he'd be in some guild of builders than underwrite insurance on jobs?
In this case? I dunno. I'm curious, but stupid.
[ EDIT: I just googled the company I originally mentioned. They're still going, over 30 years later, but no ordering website, just some crappy front page template looking from the early 90's... There's more info on them via google maps than via their own website.. wow! ]