The moral issue isn't one of technical competence, but rather of having the integrity to perform the appropriate due diligence required of a company handling such sensitive information.
No security professional is going to argue that you can or will prevent every vulnerability from being exploited. However, when you leave a critical vulnerability open for months on end, you knowingly and unnecessarily expose yourself, and any parties associated with you (by choice or otherwise), to a level of risk that is unacceptable.
If this were a 0-day exploit, then the conversation would be different. If their exec's hadn't sold off so much stock a such a suspect moment, then the conversation would be different. If the IT department had appropriately began remediating the vulnerability within a respectable timeframe but had already been exploited, then the conversation would be different.
No security professional is going to argue that you can or will prevent every vulnerability from being exploited. However, when you leave a critical vulnerability open for months on end, you knowingly and unnecessarily expose yourself, and any parties associated with you (by choice or otherwise), to a level of risk that is unacceptable.
If this were a 0-day exploit, then the conversation would be different. If their exec's hadn't sold off so much stock a such a suspect moment, then the conversation would be different. If the IT department had appropriately began remediating the vulnerability within a respectable timeframe but had already been exploited, then the conversation would be different.