The case which happened to the stake user is definitely the fault of the user and not stake, so I am going to disagree with you when you say it's the fault of both sides.
Stake have done their best in providing good security features for their users, Stake still can not be the one to turn on those security features for the user, a user is solely responsible for turning on any of the security features he or she feels he or she needs, and leave the ones he or she thinks is irrelevant to him or her, if a user having good amount of money on his or her stake account doesn't find it needful to turn on 2fa for the safety of their funds, then whatever happens that leads to the user losing those funds, that is clearly his or her fault and not the fault of the Casino.
It's true that the gambler messed up by not enabling 2FA which would saved him from this mess, but it's also true that he wouldn't have to go through this ordeal if Stake's security stopped the hacker in the first place.
The fact is that a Stake account got hacked despite the site being one of the top gambling sites these days which is embarassing to say the least.
You have made the right judgement from the start, but not the concluding part as no security can be breached because not even the US military is immune to hacking. This is why they are extra careful and spend billions on securities every year. Besides, I can partly join you in blaming the guy because it is a good layer of security to do the 2FA, but on the other hand, 2FA means nothing to some hackers, that's just the fact. Once they get the hold of your phone, they will do virtually everything and bypass every security, which including the fingerprint. That's what I read from one of the crackers of hackers, so we should all know that the internet on its own is not safe but we should try to increase security as we can and also not be careless about the way we operate and handle our gadgets and online accounts.
Having said that, you can naturally know that even Stake is not immune from hacking, but they will always try their best to keep their platform safe. However, nothing is guaranteed here and it also depends on how much the company is willing to pay for the security.