If your choices are "disable all logins" or "anybody can log into my bank account and make whatever transfers they want", the correct choice is the former. (Obviously I would prefer a third option, where the company actually fixed the login bug sometime during the 104-day lead-up, but that's not the point.)
