Who's door should the failure be laid at?
RSA the company must accept full responsibility for this breach. Their policies and systems failed to prevent it.
Start from the premise that all software is buggy, that from a security perspective (the number one perspective for a company like RSA) things are going to get through despite everybody's best endeavours.
If you have data you really, really don't want to be stolen the solution is simple. Physically isolate it from the company network. What's worse - some inconvenience in operating, or a complete and public trashing of a business model?
If systems need to be linked to facilitate day-to-day business then there are physical and logical measures that can be taken. Here's two: physically isolate the hardware holding sensitive information and provide only one network connection. Through a dedicated firewall (or two, or three). That only allows traffic when certain authorised users are logged in and actively using systems that need the data. Make it as hard as possible for traffic to access the server from just anywhere. Heck, install software to exchange data over serial links instead of a normal network, that'll slow a trojan down somewhat.
If RSA's business model has been trashed, it's because they did not properly risk assess. They should have started by saying "OK what happens when (not if) a virus gets established and we're not aware of it?" and build their data security from that point.
Security analysis fail. If I was deploying RSA 2-factor authentication I would now be running on the assumption that it is broken. I imagine RSA are frantically trying to find a way to quickly adapt their architecture to nullify the data breach, and then they will come clean. Too late... trust takes time to build and a moment to destroy.