The penalty notice for the Sony Playstation Network hack is an interesting read:
Beside the fact that Sony did not properly encrypt PCI relevant data and the rulings vague phrasing:
“Therefore the means used would not, at the time of the attack, be deemed appropriate, given the technical resources available to the data controller.”
a main point of the ruling seems to have been the fact, that the systems were compromised by a vulnerability for which patches were available at the time of the hack.
To me this is a perfect example that patch and vulnerability management are not nice to have but instead a must have for every organization. This ruling shows that being hacked is not just an inconvenience for the targeted companies but also opens the doors to fines and reparation claims.
I would really like to know what the blackened parts were about!
So give your Nessus a go and make sure to follow up on the results ;)