It's strange, because Nintendo has such good first-party game development skills, develops entire operating systems for their internet-connected consoles (including security architectures spanning hardware/software).

Even some of Nintendo's top brass have had strong software engineering skills: in the late 1990s, during the development of Pokemon Gold & Silver, the team was struggling so future Nintendo President Satoru Iwata developed and implemented a compression algorithm.

The skills are certainly there.

Developing software that fulfills functionial or gameplay requirements is going to require a very different skillset compared to fulfilling security requirements (user stories become abuser stories, and they aren't always easy to wrap your head around).

Corporate Japan has also lagged behind western companies in this area. The book Business Management and Cybersecurity by Shinichi Yokohama dives into this.

Web security is not the same skill set.

You’d think after this they would just buy Auth0.com and use their skills.

Sony ain't that good in embedded software in general, the Alpha series camera software is ... a hot mess.

Plenty of web apps have giant account breaches as well—late last year DoorDash had almost 5 million accounts get hacked. Over 15x as big as this one.