The real question is why hasn't anyone at VTech been arrested?
Adding my voice to what Guus has said above;
Why aren't VTech being held accountable for this? They've not lost anything trivial like their customers bank details or their credit card information. They've practically left the door open for hackers to walk off with the unencrypted details of over 6,370,000 children.
Craig Jones advising consumers to follow cyber-security advice is a poor sop to angry parents that have done nothing wrong and are quite rightly concerned that their children's details are out there on the internet and available to people that might not have their childrens best interests at heart.
You can follow all the cyber-security advice you like, but it will do you no good if they company storing your data gets breached.
What are the parents of these 6,370,000 children supposed to do? Move house and change all their phones? What deterrent will be put in place to remind companies that our data is valuable to us and will cause us a material harm if it is not kept safe?