Schneier reports that it wasn't a state-sponsored actor, but a criminal group called Group E. He says "state-sponsored actor" is often code for "please don't blame us for our shoddy security because it was a really sophisticated attacker and we can't be expected to defend ourselves against that." [1]
Google is definitely more secure and more proactive at security than Yahoo. You can look through their security whitepaper: they take a systematic approach and they meet and exceed the state of the art.[2] In contrast, Yahoo was hashing passwords with MD5. Here's Ptacek saying "there is no redeeming quality to justify using MD5", in 2007.[3] Yahoo doesn't really have any excuse.
Google is definitely more secure and more proactive at security than Yahoo. You can look through their security whitepaper: they take a systematic approach and they meet and exceed the state of the art.[2] In contrast, Yahoo was hashing passwords with MD5. Here's Ptacek saying "there is no redeeming quality to justify using MD5", in 2007.[3] Yahoo doesn't really have any excuse.
[1] https://www.schneier.com/blog/archives/2016/09/the_hacking_o...
[2] https://drive.google.com/file/d/0B5Y-fwYJF2hLOTVmMzQ1MjAtMDF...
[3] https://web.archive.org/web/http://www.matasano.com/log/958/...
(I'm not affiliated with any of these companies.)