An underlying problem is that legal security is mostly security theatre. Legal security provides legal cover for entities without much actual security.
The point of legal security is not to protect privacy, users, etc., but to protect the liability of legal entities when the inevitable happens.
neglecting the due diligence necessary to ensure those solutions truly fit their needs.
CrowdStrike perfectly met their needs by proving someone else to blame. I don’t think anybody is facing any consequences for contracting with CrowdStrike. It’s the same deal with Microsoft X 10000000. These bad incentives are the whole point of the system.