It's a multi faceted blame. Yes, you blame the hardware that's helped used to commit the crime, then you blame the people using it to commit the crime, then you blame the people still allowing it to be done. Look at America for example. People use guns to kill children in schools. Then you blame the person for committing the crime, then you blame the politicians who refuse to make it harder to get a gun
The problem is where does the line end? I can use a Mason jar, metal bits, and some simple household chemicals to make a shrapnel bomb like they used in the Boston Bombing. Should we ban Mason jars? I can additionally buy a dozen consumer drones and then attach those shrapnel bombs and fly them into a crowd at eye level - making the Boston Bombing look tame in comparison.
Are we to ban drones? I can use basic household cleaners to make mustard gas, I can get cyanide from regular items, I can take my car and drive it into a group of children waiting for the bus.
If someone wants to commit a crime, they are going to find a way. There's a line where we have to look and say - the costs of living in a free society means that individuals have the capacity to commit crimes. If we get rid of the capacity to commit crimes entirely, we would have also necessarily gotten rid of the free society.
I don't get these arguments. These tools aren't weapons, and limiting legal access to pentesting tools will decrease corp's and individuals' ability to be proactive about security.
These devices can be manufactured relatively easily and making them illegal will essentially mean the only people doing security tests are criminals. Large tech companies, correctly, run bug bounties where independent security researchers can make income by reporting reproducible and exploitable bugs. The concept here is called offensive security and it's extremely important for building better and more secure platforms. This situation will never be improved by limiting legal access to useful testing tools.
The responsibility should be on automakers and other companies that have massively insecure products, not on open source developers who are making products for security researchers.