Not a huge shock, as I've rarely seen anyone defend the skill set of these guys. And although I do not condone these attacks in the slightest, it does raise the question: Why have all companies not implemented and/or developed better solutions to XSS and SQL injection attacks?
You don't have to spend millions and millions of dollars to defend against SQL injection or XSS, they are very well established exploits and can easily be defended against or deterred. Plus it leaves traces, especially if the company has taken steps to make it harder to access SQL command injection. Fix the easy stuff that all crackers can easily exploit (like Lulzsec has) first, and then move on to the harder stuff meant for professional crackers.
All this talk about building an impenetrable fortress of internet security. It doesn't matter how many packet sniffers, IP loggers, firewalls, or intrusion detectors you have surrounding your fortress, if you don't have a good foundation (essential security fixes), then the fortress will collapse on itself. These guys didn't care about whether their hacks were quiet or not. They WANTED the publicity and that's what made these attacks so successful.