This sounds like general problem of enterprise security. There are no consequences. I can entirely get why a company would outsource IP cameras to a third party cloud, even with storing data on-site. Business runs on contracts. It’s entirely normal to contract out everything except your core competencies, if it’s cheaper this way. It’s how you turn CAPEX, complex OPEX and high risk into simple OPEX and low risk. A contract is in big part a risk shifting tool. This works well in practice… outside IT. The problem is, with IT and data, there’s a mismatch between expectations and reality. An enterprise should feel safe buying their video surveillance from Verkada, because between the contract and the legal framework, Verkada should be bankrupt now, and their management possibly facing jail time. That’s the part where contracts work as Cover-Your-Ass tool: if you shift risk and liability to outside party, the liability is not on you.
However, this only works as long as the other party actually internalizes the risk and liability. Since there are no consequences for mishandling data, operating IT services you’re not structurally competent to operate, and eventually having your crown jewels stolen - the contractor doesn’t really internalize risk, has no incentive to mitigate it.
All this to say: Verkada should go down after this, and their customers should be named and shamed widely - the latter is so that future customers of IT services put more care into vetting companies they contract IT out to. You shouldn’t get to CYA with a contract where assumptions around contracting are broken.