Personally I would blame both. The manufacturers should be criminally liable if anyone gets injured and required to do a recall for defects. Security research should be legal and encouraged. However anyone that maliciously uses a defect to injure someone (or attempt to) should be treated as if they had used a physical weapon.