There's lot of blame to pass around, and a lot of systems to reconsider, but at least initially, the blame lies with people who had a kill switch to critical infrastructure in multiple countries, were fully aware of that fact, and yet were so careless they accidentally pulled it.
I don't exactly care who is blamed for this in the chain of stupidity, but it must happen. This corrosive attitude of "oops software problems nothing we can do" must end fast.
They were one link in what appears to be a pretty fragile dependency graph.
For example, wouldn't it possibly make sense to also blame:
* Regulators / insurers / etc. who require passing the audits that mandate using services like this.
* System designers who failed to implement disaster recovery plans for this scenario.
* Auditors who failed to highlight this risk.
* Device vendors who made medical equipment susceptible to this kind of DoS.
* U.S. FDA / DEA who allowed and/or mandated systems with this kind of vulnerability.
* Voters (in democracies) who ultimately bear responsibility for their government's actions/inactions.
Etc.?