This was, to the company, a reasonable risk. They already had a loss, large enough that it was worth it to get lawyers and try to argue as hard as they could. Sometimes you do the math and spending thousands for a 1% shot at recovering millions of worth it.

Negligence is the correct assessment, but more often than not it's lack of understanding, but penny pinching. At least you wouldn't see them spending this much on lawyers. People get experts to make certain things are safe, but many don't understand that IT person is not a cyber security expert. For all we know this court theater was to argue they were legitimately lead to believe they were covered for this situation and therefore can point at someone else.

That said this is based on generalisms, and I've seen a lot of companies with serious mismanagement. This specific case could certainly be the case of someone who would not listen to reason or advise. All I'm stating here is, as far as I can tell, there's not enough info to be reasonably certain.