Guys, there are two parties at fault here. The first, obviously, is Microsoft for having the software bug. Everybody by now should be well aware that security and system integrity wasn't even on Microsoft's radar screen until recently. It wasn't until the Gartner group recommended that companies stop deploying IIS that Microsoft acknowledged that their software doesn't have a very good security track record and that they were going to try harder. It remains to be seen whether or not this was just a PR gesture...
The second party to blame is the website itself. This blanket statement includes the system architect and the system administrators and their managers. These are the individuals responsible for designing and implementing an e-commerce site that stored customer data in an unsafe fashion. You can't blame Microsoft here....his is just poor system design. They placed trust in their assumption that their software was safe. It wasn't. How many times must sites cough up their data to hackers before the community realizes that it's bad mojo to store sensitive records on machines accessible from the outside?
Had they been more careful...perhaps, heaven forbid, contracted a security architect to analyse their needs and offer solutions...then their customer data would not have been snarfed even if the site had been hacked. Then they could have issued a statement something along the lines of "Due to a flaw in a Microsoft product, a hacker managed to infiltrate our website yesterday. However, due to our security-conscious system design, this hacker was unable to obtain access to the systems containing vital customer data. As a result, your personal information remains safe and secure."
You're never going to have 100% bug-free software. Assuming otherwise is begging for a public relations nightmare later on.