Since never. At least for businesses that want to remain an ongoing concern.
A malicious attack by a third party is different from, say, the gym allowing black mold to grow in the locker room. I'd quit a gym if they had black mold. That's mismanagement. I wouldn't quit a gym if malicious third party intervention inconvenienced me.
Besides, GitHub is obviously more concerned about this than you or I could ever be. And having money doesn't make infrastructure magically appear.
I pay GitHub too. My company relies on it. I, too, was slightly inconvenienced this week. I was also slightly inconvenienced when I had to make a u-turn because the Battery Tunnel southbound on-ramp was closed. So what?
In summary: shenanigans! Good day sir!
You can reliably predict and protect against things like network outages, server failures, full datacenter failures (black mold)--you can directly measure their impact and plan failover paths. A DB server goes out? Whatever! That's why you have a hot backup or two online and ready to go.
What you can't predict is exactly how far a malicious third party will go to hurt you. You can't predict how many dollars they'll spend on their botnet minutes. You don't know if they're going to attack your infrastructure or the DNS. Can buying more bandwidth fix the problem? If so, how much more? And will the attacker simply up the ante when they see that you're recovering? Can filtering requests fix the problem? If so, will the attacker provision different resources to attack you with?
This isn't simply a matter of infrastructure, buying the right equipment, or setting things up "just right" precisely because there is a sentient actor trying to hurt you. It's more like a game of chess.
I find it slightly ironic that the entire point of git is that it is distributed version control but 90% of git use seems to be focused around a product from a single company.
Issues are normally mirrored to e-mails (caveat: you don't get mail for your own comments), so you can mostly pick up existing threads if your e-mail address book can find the github users involved. If they didn't obscure recipients (at least within an organisation — because I don't think address-book lock-in is worth inconveniencing paying clients), and made an auto self-bcc of your activity, issues would be entirely disaster resistant.
