The only thing that would have prevented this in this context would be mandatory MFA. Did they have that? No, but there's a huge number of places that are way more sensitive than a streaming platform that don't have mandatory MFA (coughETradecough).
It is wholly misleading to characterize this as a "Roku data breach," and it's disingenuous to portray Roku in this instance as somehow glaringly worse than everyone else.