It would be great if there always was a negligent party, but there is not always one. If Widgets Inc.'s otherwise ultra-secure web server gets 0wn3d by a 0-day, there is no negligence[0]. Who eats it, Widgets Inc. or the ISP?
1. In Sean's example, clearly the customer was a negligent party. 2. If Widgets Inc. doesn't promptly disconnect their system from the network upon notification of the problem, and/or fails to fix the system before reconnecting it to the network, then they have become a negligent party. 3. Although there's no real obligation for ISPs to do so, most that I know will eat it on the customer's behalf until some reasonable amount of time after they told the customer. That is exactly what happened in the case Sean brought up, except, the ISP ate it for far longer than reasonable.
So how about this analogy: Someone breaks into my house and spends a few hours on the phone to Hong Kong. Who eats the bill, me or my LD carrier? Neither of us was negligent.
Well... When I had a similar situation, the phone company tried very hard to tell me it was my problem. Finally, I found out what had happened, and provided them with photographs of a person tapping into lines from the junction on my pole and making phone calls. They did give me credit at that point, but, it took a lot of convincing and I got lucky with a camera.
[0] Unless someone can prove the software flaw was sloppy enough that it constitutes negligence and goes after the software authors. Good luck with that.
Actually, I'd say that anyone who hasn't signed Micr0$0ft's EULA and is a victim of the crap their software ends up spewing has a pretty good case against them for negligence at this point, but, IANAL. Owen -- If this message was not signed with gpg key 0FE2AA3D, it's probably a forgery.