Agreed. I still can't wrap my head around Bitfinex's solution, they're making customers who were not affected by the hack pay for damages when they should be working to reimburse those who lost coins in the hack in full.
1. why are they not securing customers funds in the same manner as their own reserves, for them to think customers funds could be lost but their reserves could not be
I would think the answer to this is pretty obvious, because they can't. They simply don't have the same amount of control over their customers' funds as they do over their own. Customers must be able to withdraw their funds whenever they choose, which unavoidably creates weaknesses. Their own reserves they can keep completely offline cut off from all access.