Would I be correct then in saying that the security protocols for online are more aimed at the risk factor of having some exchange holding them than an actual personal hacking risk on a general user's computer?
What exactly do you mean by "the security protocols for online"?
When a web site asks you to send them your bitcoins, whether that is in return for a product/service or whether it is so that you can use those bitcoins on that web site (as is the case when the site is a currency exchange), you have irreversibly sent your coins to someone else, and now those coins are theirs. You are trusting them to carry out their part of the deal you struck, i.e. sending you the goods you bought, carrying out the service you paid for, or safely storing the coins for later use.
It is no different to you sending your coins to me and me promising to do something you want with them. The coins are no longer yours; all you have now is the promise from me to you.
Most of the time the site (or me) carries out the promise and everyone is happy.
Sometimes though, the site is broken into, or goes bankrupt and ceases operation. The coins are lost. The promises can't be carried out.
That is the risk of sending your coins (which you completely control as your property, and is therefore your responsibility to secure) to some third party where you no longer control them and they aren't actually your property any more, secured only by how diligent the third party is.
If no banks had insurance and no banks were backed by the government then it would be a similar risk there: you put all your USD in the bank, then bank says "oh sorry, we got ribbed, it's all gone". You're left wondering how they let that happen, who took it, was it an inside job? Even then, at least it is criminal and police would hopefully get involved to investigate.
In the real world, banks do have insurance and often are covered by financial regulations such that bank losses are covered by the government and customers don't need to worry about losing their own funds.
At the moment the bitcoin world is largely unregulated and the authorities don't see things like the MtGox bankruptcy as being a criminal matter. No police are investigating what happened to the bitcoins. People who lost funds in MtGox are left to organise their own civil prosecutions and investigation.
In the same context as your Target example: always have good passwords for stuff you do online but with 3rd party sites dealing with your money, extra security is best. Common sense more than some immediate looming threat?
Keeping your access to some third party site secure is your responsibility and certainly if your computer is cracked into and credentials for bitcoin services are stolen from it then they may be used to take your coins off of that service. That does happen all the time.
But what we're talking about here is the breach of promise by the site themselves. As with MtGox, they shut down while holding large sums of customer funds. As has happened to quite a few other bitcoin services as well.
As for whether it is Karpeles's fault and whether he should suffer any consequences: in my own view you can't screw up that badly without there being some degree of negligence. I hope it is investigated fully to determine whether that level of negligence is criminal. He needs to suffer business consequences for his negligence and if it is proven criminal then he needs to suffer legal consequences as well. Anything less is just inviting operators of bitcoin services to run with the funds.
