Financial losses are not the only type possible. Loss of reputation or un-reparable disclosure of personal data (e.g. some medical condition) are very difficult to measure in financial terms and possibly way more harmful.
I believe we should make an effort to evolve from a view where a service provider enrolls people and issues a credential to one of an ecosystem, where enrollment/credential issuance may be reused by many service providers/relying parties. This complicates significantly at determining who is to blame for a loss.
The idea of an ecosystem is also that not every player has to absorb the full cost of a digital identity. The secure enrollment of a person is probably the most costly  of all, the issuance and maintenance of a secure token (e.g., a smart card) is very costly too. In an ecosystem, it should be possible that enrollment and token issuance is done once or few times, and then reused by many.
Evidently, plain (very) old X.509 certificates with the equivalent of a Social Security Number as part of the Subject CN, would make such a sharing impossible, unless people would accept to have no privacy at all. More modern approaches that protect privacy are necessary.
[Note 1] Enrollment for a typical government-issued European eID in several countries means that the applicant has to appear in person, that the identity is verified against a population registry, and sometimes that biometrics is used to prevent double-enrollment. Obviously this is the extreme end of the scale; but why redo enrollment and not find ways to derive (unlinkable) potentially pseudonimous or anonimous identities with guarantees for example that a real person of a certain age range is behind it. (Privacy Commissions in Europe run some Anonimization servers and I personally would trust them to derive an anonymous identity from my full government-issued one).