I highly doubt, if they even had a dedicated "security team" at the time the platform was architected as such, that they would have told the rest of the company they "had best-of-breed security". They would have understood their shortcomings and communicated them up the chain of command. And firing them and hiring an outside team of "security experts" to re-architect their system wholesale would be a patently absurd course of action.
The form of responsibility taking you're demanding is actually just business as usual, reactionary scapegoating.
> I highly doubt, if they even had a dedicated "security team"
I can only agree, from what I have seen on previous security vulnerabilities it often seemed to fall either into straight out negligence or intentional ignorance because it's easier "that way".
I believe security had never and will never bee a top priority for zoom. At least while they can get away with it, which they currently seem to be able to do.
Also I have seen it more then once that a Team originally had good intentions into making good secure software (but not necessarily enough expertise) but due to frequent changes in priorities or wrong time estimates they end up with a software which "works" but internally is broken with a promise from management that if they produce something like that soon then they will get to fix security issues in a view month. But then they never get that time and shitty security becomes the norm. Following that people with security expertise get demotivated and move on (either literally by changing the job or metaphorically by just accepting writing not so secure software).
The form of responsibility taking you're demanding is actually just business as usual, reactionary scapegoating.