Let me put it this way. Whoever gave an insecure system a public IP effectively invited attacks on an insecure system. Whoever made the DNS mistake is an also idiot and by inviting MORE attacks on the insecure system. Despite the idiot or idiots that invited all these attacks on an insecure system, the system WAS insecure in and of itself. If it was known to be insecure before the aforementioned idiots did their work, they are at fault. If the system was though to be secure, they still may be idiots, but they're not really at fault, unless it's at all related their jobs to ensure that systems they publicize are secure.
But, before you go chewing ass, make sure you know HOW the system was infiltrated. It's easy to blame a web app developer. But, unless you've got log entries or clear evidence that the system was broken in via the application, all you've got is an insecure system and no ideas. It could just as easily be a weak system user password as it could be a missing .htaccess file. Or, it could just as easily be an apache or firewall misconfiguration.
There's a lot that can go wrong. Don't flippantly start biting heads off until you've performed a full analysis -- ensured that the basics are in place: strong passwords, sound firewall rules, correctly installed/configured/running apache and DBMS, etc..
Also ... don't double post.