It seems to me that a company who produces security software should know how to protect their own forum.
Skills in one area don't often translate over. I know some people who are good coders but couldn't troubleshoot a hardware issue on their development system at all. That said, a company that deals in computer security should be smart enough to know they need people with the right skills.
So keep in mind that security is a process,
not a product nor is it
a destination. No matter how well you defend yourself, if you offer access of any kind, you can be attacked. It doesn't matter if it's your own custom code or that of a third party. While you can take steps to make things less likely by picking third-party products that have good records or using extensive testing on custom code, you'll never find every possible issue in anything complex.
The right steps would have been to acknowledge the issue, work to find the cause without offering any kind of public blame, seek to get that issue fixed, and then put out a report detailing as best you can what happened and how you fixed it. Especially as a security company, you live by your reputation. Turning a public failure into a good example for your customers won't win all of them back, but it may get you some new ones.
Could Avast have fully protected themselves? Doubtful. It's just not possible with the complexity of web applications today. Could they have handled the situation better? Certainly.
In my personal opinion, Avast is the "BigLots" of the security industry.
Nah, that's more the domain of AVG, or at least has been lately. Avast has always been the slightly more indie product, more of a Tuesday Morning.
(For those not familiar with the brands, Big Lots and Tuesday Morning are both retail
liquidators, but Big Lots is considered more down-scale and Tuesday Morning positions itself as an upscale store.)