If the question is who is ULTIMATELY liable, the answer is Senior Leadership. This does not mean you are not liable; you may be, that depends on Due Care. Who is held accountable, who is to blame, who should pay?
Due Diligence and Due Care:
Due Diligence – The research to build the IT Security architecture of your organization. Best practices and common protection mechanisms. Research of new systems before implementing.
Due Care – Prudent Person Rule – What would a Prudent Person do in this situation?
Implementing the IT Security architecture, keep systems patched. If compromised: fix the issue, notify effected users (Follow the Security Policies to the letter).
Negligence (and Gross Negligence) is the opposite of Due Care.
If a system under your control is compromised and you can prove you did your Due Care you are most likely not liable.
If a system under your control is compromised and you did NOT perform Due Care you are most likely liable.