What really is clear from reading the actual SEC release on their charges is that the charges rely heavily on supposed warnings by a single individual. That creates the question, was the individual who issued the warnings a known worrywort, with a reputation for overstating risks and demanding disproportionate security for the analyzed risk? Just because they were right this time doesn't mean that a reasonable person, at the time, would have viewed the warnings by that person as realistic or appropriate.
I raise this point because I've been at shops where someone tried to demand completely disproportionate security to the threat profile, which would have exceeded the entire IT budget to address. I've also seen cases where risks were claimed in order to justify "security" tools that actually created more risk for the organization (I'm sure you know the kind I mean).
I expect we'll see a lot of expert witnesses arguing that not only were the warnings commensurate to the known threat profile at the time, but that they were willfully ignored rather than postponed due to other legitimate priorities.