Re: We take the protection of our customers’ data very seriously.
I wouldn't presume subresource integrity to be already a mainstream defense, but the absence of a CSP header and the script loaded from untrusted sources would typically qualify for an act of negligence on a website like BA's.
Now I'm not sure the CEO should be the one losing seat for this.
I'd need to know whether
1) security threat modelling teams did not spot the threat or issued poorly crafted warnings to the website project team,
2) whether some project manager skipped the requirement because "security stuff" or
3) whether a developer cheated by marking it "done" or
4) whether the security testing team didn't spot or follow up the issue or
5) wether the fix made it to the code and somehow did not end up on the website.
6) etc.
In such cases, root cause a analysis is key to understanding who or what processes were responsible to allow improvement. If BA just fires one person over this then we'll know they aren't doing RCA correctly.
I still cross paths with security testing teams that can't issue anything more detailed than a "setup a CSP header" instruction without explaining why or what should be in the header.