I'm an ecom web dev, and what is shocking to me is that Sony appears to have been lax on basic security practices. In particular, to compromise all those passwords means that the passwords were not hashed when stored, which is a big no-no. Also, if the database of credit card numbers were compromised, that would indicated that if it wasn't in inside job that they failed on some significant PCI rules on how card numbers can be stored and how they can be accessed.
Most appalling to me, though, is how slow they are to be honest and inform endusers. They also are very much lacking in customer support. For example, a simple thing they could do is have some basic, easy way for users to check to see if they had a credit card on file with PSN which might have been compromised. I own a PS3 and I honestly don't know if I ever put my card on file with them. Instead they recommend you go use some third party credit check website.
As another user pointed out, this smacks of the same silence and downplaying of importance that we saw in the first few weeks of the nuclear accident in Japan with TEPCO.