"Q: Why didn’t you hire experienced professionals?
A: We tried, but we didn’t have money and also often they turned us down. A former Financial Services Agency bureaucrat approached us once last year, but he declined our offer at the end."
I'm pretty sure what happened here is a professional was interested in helping out, got a look at the books and ran.
I regretfully can't tell you the context, but suffice it to say the following was once said in Tokyo: "I do not want to be one of the 100 closest gaijin to that office when shit goes down." (The Japanese immigration agency is occasionally - oh wait they still have my renewal form at the office? - zealous in their execution of their statutory duty to remove undesirable foreigners from Japan.)
You don't need to look at the books for that. Imagine you got that offer. Millions going through the accounts that you have to protect, secure in online and offline environment, monitor, ideally have complete control over access logs, think about relevant company certifications that may be required because you deal with money one way or another. And you need to have some practical banking knowledge on top of that. If anything goes as bad as it did, it could be your name in that article instead of the company owner.
With no inside knowledge of the books, how many people would you think need to be on the security side of that company and how much would you request to get paid? I'd definitely go with (10+)x amount a very well paid person gets in other companies.
There have been a few people in /r/asknetsec recently saying they are in charge of a bank's security and needing help with very basic things. I hope for their sakes they move on before everything hits the fan.
I'm pretty sure what happened here is a professional was interested in helping out, got a look at the books and ran.