It's not like they haven't. They are subject to the same security management costs as anybody else, including password complexity, vulnerability patching and file encryption. Of course being a security firm puts them in the position of having a lot of know-how on how to manage and configure secure systems. But so does any CISO, including Target's, Kaspersky's, and many others. They may have done a better job at defending their systems? Sure. Should we have expected that from them? Not so sure.
I think we should expect high security from anyone who is dealing with sensitive information, no one wants to see their data leaked after all. But in practice it's not realistic to expect that companies have perfect protection, if you face an APT like a nationstate for example you're generally pretty screwed (e.g. Kaspersky). But when you do have a company which is in the business of security, like HackingTeam, it's much more reasonable to expect them to at least have the basics in order (like strong passwords). Their company as a whole knows how important those basics are after all given that they are demonstrated time and time again (like the recent successful phishing attacks on a number of US-based healthcare companies).