In the great majority of cases, a compromised account is due to some oversight on the user's end, NOT the company. In most cases, a company will give you lots of information on how to protect yourself, and even tools (email authentication, physical authenticators) but at the end of the day, it's up to the user to make their account more secure. I see a lot of people saying that they shouldn't have to go to all these extra measures to make themselves secure, and that it's the company's responsibility. When asked to supply some kind of sound logical reasoning for this, they tend to come up short.