It is a very real option. If it's not being exploited by hundreds of people right now and you make more money keeping the site up vs. what you lose in "fraud" it makes sense to keep it running.
Just like you don't shut down your store if someone stole some merchandise or how credit cards just factor fraud into the fees.
It's often a violation of both government laws and insurance contracts, if you knowingly expose that much financial information to a proven vulnerability.
There are businesses where if you suffer a theft, you shut everything down and run a stocktake. For example, an arms dealer. And there are times credit card providers shut down - because there is a known vulnerability, and they have to immediately mitigate, or lose their insurance.
Ok, but shutting down the website because of legal/moral responsibility to protect customer info is very different than doing so because of the “real money involved”, which is what commenter dewey was responding to. You can choose to just take the fraud cost hit in the latter case.
That's why people aim for the legal costs to be commensurate with the possible gain they will miss out on. Many corporate penalties are small enough that mathematically, it's absolutely worth simply breaking the law all the time.
I don't think this is a good analogy. It's more like you find that the lock on your stores front door has been broken for a long time and you just hadn't noticed. Nobody has broken in yet, but could at any moment. Also, it's not just your goods and business that are at risk, instead you're responsible for the protection of things that belong to other people.
Just like you don't shut down your store if someone stole some merchandise or how credit cards just factor fraud into the fees.