Upon what verifiable facts do you base your endless speculation?
(1) Stop blaming the victim!
(2) Registrants can't "lock" domains, it's a registrar-lock. Users can only ask that domains be locked. Stupid policy, bad results.
(3) This is a red-herring issue anyway, since there is no evidence that Mel-IT ever sent notification, or even waited 5 days for a response. The domain was hijacked in the middle of the night, in the middle of a weekend -- a very odd time for confirming responses by a staff that wasn't in the office answering the phones....
(4) Mel-IT has admitted it "failed to properly confirm", and a "loophole" caused the error.
(5) Mel-IT has an executive and a lawyer that were both notified about the problem, and refused to mitigate the damage.
(6) Stop blaming the victim!
i dont think anyone is blaming the victim...what evidence do you have to support the domain being locked? a user can lock a domain..they can login to the control panel for there registrar and select registrar lock, registrar-lock, or lock and i am sure there are other registrars that word it even differently. once you select that it effectively locks your domain so it cant be transfered.