I would now submit that those said entities, the necessary ones, are a 'more important' necessary than the necessity of the assumption that all data given to a third-party be insecure. Does that not then place the blame on the companies that require your pertinent information? If you must consider all information given toa third-party entity to be insecure, and if <aforementioned third-party entities> are a necessity, than placing the blame on the end-user is the very definition of victim-blaming.
Blaming the companies is just as much a form of vicitim-blaming. Its the hackers who decided to steal the information, and thus they are the ones who are morally responsible. The fact that better internet security practices would make it harder for hackers and are the best way of protecting yourself does not change that.
If I entrust a piece of jewellery to a bank and have them keep it in their vault and subsequently the bank is robbed and my jewels are stolen the responsibility lies neither with myself nor with the bank, but with the people who decided to rob the bank, which is why bank-robbery is a crime and 'failure to make your bank 100% unrobbable' is not.