IMHO this is purely a developer's problem. users are completely different, and most do not even know what cookies are, while a competent developer writes his software for everyone
IMHO here or bind it to an IP, which is not very good, because. most users have dynamic IPs, or accept that which may compromise security.
You can also bind it to the Useragent as an additional security parameter or even encrypt it in the user agent.
You can also invent perversions, for example, update the cookie every time the user logs in, etc.

It depends on the method of theft - be it XSS - the developer is to blame, and if the user enters miracle scripts into the address bar, then he is to blame.

If cookies are stolen directly from the user's computer, then the user himself is 100% to blame, similarly if your icq password was stolen? We will not blame icq.com for this
>Depends on the method of theft - whether it is XSS - the XSS developer is to blame
- There are no options, only the developer's fault!

there may still be a fault of the browser developer, if there is a vulnerability in the browser that allows you to steal cookies
as well, if the cookies are stored on the client in an unencrypted form - also for the most part the fault of the browser developers

I agree with the opinions above and add on my own: I usually wrap the user agent + the first digits of the IP address in md5, I just compare it at the entrance.

To this question, there is only one answer (judging by the comments) - everyone is guilty! And site developers and users and third parties (in our case, browser developers).