The name of this company ought to be released so they can be punished in the equity markets (or held up to public ridicule). It’s not like this was an unknown threat or that the expertise to have avoided it isn’t readily available.
Edit 2/19/2020: More details from Ars Technica. It appears if you’re in a position of control in an IT organization, you’re going to have to start lobbying for software to sanitize email of links and attachments.