Probably this wouldn't be a problem if Web was somewhat anonymous, so that merely stumbling upon a security issue, or using website in a regular way would not constitute a crime for the lack of the person to put that crime onto.

Also if things stored in those databases weren't plain strings, but tokens (in asymmetric cryptography sense) so that only the service owns it, and in case of a leak user can use it to get a payout from the service, this problem would be solved.

But no business is interested in provably making their users secure, it would be a self-sabotage. It's always just a security theater.