The case which happened to the stake user is definitely the fault of the user and not stake, so I am going to disagree with you when you say it's the fault of both sides.
Stake have done their best in providing good security features for their users, Stake still can not be the one to turn on those security features for the user, a user is solely responsible for turning on any of the security features he or she feels he or she needs, and leave the ones he or she thinks is irrelevant to him or her, if a user having good amount of money on his or her stake account doesn't find it needful to turn on 2fa for the safety of their funds, then whatever happens that leads to the user losing those funds, that is clearly his or her fault and not the fault of the Casino.
It's true that the gambler messed up by not enabling 2FA which would saved him from this mess, but it's also true that he wouldn't have to go through this ordeal if Stake's security stopped the hacker in the first place.
The fact is that a Stake account got hacked despite the site being one of the top gambling sites these days which is embarassing to say the least.
I play gambling here in the crypto gambling business but I have never activated 2fa on casino platforms. Also, I don't have an accout so far in Stakes though as far as I know it has 2fa, and besides that Livecasino also has 2fa.
maybe I will only do 2fa when I am required to activate 2fa to secure my account I have in the casino platform. That's the purpose of 2fa in a casino so that you can't be hacked by exploitative people.