It's the mobile operators' fault for allowing the SIM transfers. It's relatively easy to social engineer one's way around a customer support agent over the phone if some credentials of the victim are known and, after gaining access to the phone number, the intruder can go to town resetting all victim's accounts. SIM transferring should only be allowed by visiting the company's offices and doing it in person after verification of the identity of the SIM owner. I have heard a lot of horror stories about SIM hijacking - mainly famous influencers' Twitter accounts getting hacked via social engineering and lax security protocols of the mobile operators.
I don't believe that you should blame anyone for what happen even the mobile operators are not aware but still they are liable for what happened. Criminals will do whatever they think they can give them huge money. Every system has its vulnerability and its to us (users and the mobile operators) to make strengthen the security what we have by communicating each other regarding this matter.